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Abstract. The framework of psi-calculi extends the pi-calculus with nominal datatypes 
for data structures and for logical assertions and conditions. These can be transmitted 
between processes and their names can be statically scoped as in the standard pi-calculus. 
Psi-calculi can capture the same phenomena as other proposed extensions of the pi-calculus 
such as the applied pi-calculus, the spi-calculus, the fusion calculus, the concurrent con- 
straint pi-calculus, and calculi with polyadic communication channels or pattern matching. 
Psi-calculi can be even more general, for example by allowing structured channels, higher- 
order formalisms such as the lambda calculus for data structures, and predicate logic for 
assertions. 

We provide ample comparisons to related calculi and discuss a few significant applica- 
tions. Our labelled operational semantics and definition of bisimulation is straightforward, 
without a structural congruence. We establish minimal requirements on the nominal data 
and logic in order to prove general algebraic properties of psi-calculi, all of which have 
been checked in the interactive theorem prover Isabelle. Expressiveness of psi-calculi sig- 
nificantly exceeds that of other formalisms, while the purity of the semantics is on par 
with the original pi-calculus. 



The pi-calculus [MPW92] has a multitude of extensions where higher-level data struc- 
tures and operations on them are given as primitive. To mention only two there are the 
spi-calculus by Abadi and Gordon |AG99j focusing on cryptographic primitives, and the ap- 
plied pi-calculus of Abadi and Fournet [AFOlj where agents can introduce statically scoped 
aliases of names for data, used e.g. to express how knowledge of an encryption is restricted. 
It is also parametrised by an arbitrary signature for expressing data and an equation sys- 
tem for expressing data equalities. The impact of these enriched calculi is considerable 
with hundreds of papers applying or developing the formalisms. As Abadi and Fournet 
rightly observe there is a trade-off between "purity" , meaning the simplicity and elegance 
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of the original pi-calculus, and modelling convenience; expressing complicated schemes in 
the original pi-calculus can simply become too gruesome and error prone. 

But the modelling convenience of many high-level primitives comes at a price. The 
theory of the formalism may instead become gruesome and error prone, and it can be 
difficult to assess the effects of modifications to it. 

Our contribution in this paper is to define psi-calculi: a framework where a range of 
calculi can be formulated with a lean and symmetric semantics, and where proofs can be 
conducted using straightforward induction without the complications of stratified process 
definitions, structural congruence or explicit quantification of contexts. We claim to be 
the first to formulate such truly compositional labelled operational semantics for calculi of 
this calibre. Psi-calculi accommodate pi-calculus extensions such as the spi-calculus, the 
applied pi-calculus, fusion |WG05j . concurrent constraints [BM07], and pi-calculus with 
polyadic synchronisation [CM03j . 

The main idea is that a psi-calculus is obtained by extending the basic untyped pi- 
calculus with three parameters. The first is a set of data terms which can function as both 
communication channels and communicated objects. The second is a set of conditions, for 
use in conditional constructs such as if statements. The third is a set of assertions, used to 
express e.g. constraints or aliases, which can resolve the conditions. These sets need not 
be disjoint, and one of our main results is to identify minimal requirements on them. They 
turn out to be quite general and natural. 

Psi-calculi go beyond previous work on extending pi-calculus since we allow arbitrary 
assertions (and not only declarations of aliases), and arbitrary conditions (and not only 
equality tests). Also, we base our exposition on nominal datatypes and these accommodate 
e.g. alpha-equivalence classes of terms with binders. For example, we can use a higher- 
order logic for assertions and conditions, and higher-order formalisms such as the lambda 
calculus for data terms and channels. Thus we get the best of two worlds: expressiveness 
significantly exceeds that of the applied pi-calculus, while the "purity" of the semantics is 
on par with the original pi-calculus. 

The straightforward definitions make our proofs suitable for checking in a theorem 
prover. We have implemented our framework in Isabelle |NPW02] using its nominal data- 
type package |Urb08j . also known as Nominal Isabelle, and proved the algebraic properties 
of bisimilarity |BP09j . This gives us absolute certainty of general results for a large class of 
calculi — at least to the point of the current state of the art for machine checked proofs. 

In the next section we give the basic definitions of the syntax and semantics of psi- 
calculi. In Section [3] we relate to other work and demonstrate the expressiveness by showing 
how a variety of calculi can be formulated. Section H] contains more substantial examples 
on frequency hopping spread spectrum, multiple local services with a common global name, 
and cryptographic mechanisms including the Diffie-Hellman key agreement protocol. In 
Section [5] we introduce a notion of bisimilarity, establish the expected algebraic results 
about it, and demonstrate the proof of the most difficult parts. In Section [6] we discuss the 
full formalisation and implementation in Isabelle. Finally Section [7] concludes with ideas 
for further work. 

This article extends |BJPV09] by additional explanations, examples, and proofs, and 
a more strict formalisation of some comparisons to related calculi. We are very grateful to 
the three anonymous referees for many suggestions of improvements. 
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2. Definitions 

2.1. Nominal datatypes. We base psi-calculi on nominal datatypes. A reader unfamiliar 
with these need not fear: we shall provide what little background is needed and be generous 
with examples. A traditional datatype can be built from a signature of constant symbols, 
functions symbols, etc. A nominal datatype is more general, for example it can also contain 
binders and identify alpha-variants of terms. Formally a nominal datatype is not required 
to be built in any particular way; the only requirements are related to the treatment of the 
atomic symbols called names as explained below. 

As usual we assume a countably infinite set of atomic names N ranged over by a, . . . , z. 
Intuitively, names will represent the symbols that can be statically scoped, and also repre- 
sent symbols acting as variables in the sense that they can be subjected to substitution. A 
typed calculus would distinguish names of different kinds but our account will be untyped. 
A typing may contribute to clarity of expressions but it is not necessary for our results. 

A nominal set |Pit03t IGPOlj is a set equipped with name swapping functions written 
(a 6), for any names a, h. An intuition is that for any member X it holds that {ah) ■ X is 
X with a replaced by h and h replaced by a. Formally, a name swapping is any function 
satisfying certain natural axioms such as (a h) ■ {{a b) ■ X) = X. One main point of this is 
that even though we have not defined any particular syntax we can define what it means 
for a name to "occur" in an element: it is simply that it can be affected by swappings. The 
names occurring in this way in an element X constitute the support of X, written n{X). 
We write a^X, pronounced "a is fresh for X", for a In an inductively defined 

datatype without binders we will have a#X if a does not occur syntactically in X. In for 
example the lambda calculus where alpha-equivalent terms are identified (i.e. the elements 
are alpha-equivalence classes of terms) the support corresponds to the free names. If A is 
a set or a sequence of names we write A^X to mean Ma ^ A . a^X. 

We require all elements to have finite support, i.e., n(X) is finite for all X. It follows 
that for any X there are infinitely many a such that a^X. Some elements will have 
empty support, a prime example is the identity function in the lambda calculus, or a 
term of a traditional datatype not containing any names. A function / is equivariant if 
(a h) ■ f{X) = f{{a b) ■ X) holds for all X, and similarly for functions and relations of any 
arity. Intuitively, this means that all names are treated equally. 

A nominal datatype is a nominal set together with a set of equivariant functions on it. 
In particular we shall consider substitution functions that substitutes elements for names. 
If X is an element of a datatype, a is a sequence of names without duplicates and Y is an 
equally long sequence of elements of possibly another datatype, the substitution X[a := Y] 
is an element of the same datatype as X. In a traditional datatype substitution can be 
thought of as replacing all occurrences of names a by y. In a calculus with binders it can 
be thought of as replacing the free names, alpha-converting any binders to avoid capture. 

For the purpose of psi-calculi it turns out that we need not define exactly what a 
substitution does. The only formal requirements are that substitution is an equivariant 
function that satisfies two substitution laws: 

1: if a C n{X) and b G n(r) then b G n{X[d := f]) 
2: if 6#X,a then X[d := f] = ((6 a) • X)[b := f] 
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Law 1 says that substitutions may not lose names: any name b in the objects T that 
substitute for names a occurring in X must also appear in the substitution X[d := T]. 
Law 2 is a form of alpha-conversion for substitutions; here it is implicit that a and b have 
the same length, and (a b) swaps each element of d with the corresponding element of b. At 
the end of Section 12.51 we shall motivate why these laws are necessary. 

Example: Consider an inductively defined datatype without binders, where the support is 
the set of names that occur syntactically, and substitution is the syntactic replacement of 
names for terms, defined inductively in the usual way. The arguments that this substitution 
function satisfies our requirements are straightforward. Equivariance and Law 2 follow 
immediately by induction. For Law 1, suppose d C n{X). This means that all elements of 
a occur syntactically in X. Suppose b € n(T). This means that for some i, b £ n(Tj). This 
means that b occurs syntactically in Tj. Consider the corresponding Oj. We know Oj occurs 
syntactically in X. So then by definition Ti occurs syntactically in X[d := T]. Therefore b 
occurs syntactically in that term, and by definition is in the support of it. 

The main point of using nominal datatypes is that we obtain a general framework, 
allowing many different instantiations. Our only requirements are on the notions of support, 
name swapping, and substitution. This corresponds precisely to the essential ingredients 
for data transmitted between agents. Since names can be statically scoped and data sent 
into and out of scope boundaries, it must be possible to discern exactly what names are 
contained in what data items, and this is just the role of the support. In case a data element 
intrudes a scope, the scoped name needs to be alpha converted to avoid clashes, and name 
swapping can achieve precisely this. When a term is received in a communication between 
agents it must replace all occurrences of the placeholder in the input construct, in other 
words, the placeholder is substituted by the term. 

Since these are the only things we assume about data terms we can handle datatypes 
that are not inductively defined, such as equivalences classes and sets defined by comprehen- 
sion or co-induction. Examples include higher-order datatypes such as the lambda calculus. 
As long as it satisfies the axioms of a nominal datatype it can be used in our framework. 
Similarly, the notions of conditions, i.e., the tests on data that agents can perform during 
their execution, and assertions, i.e. the facts that can be used to resolve conditions, are for- 
mulated as nominal datatypes. This means that logics with binders and even higher-order 
logics can be used. Moreover, alpha-variants of terms can be formally equated by taking 
the quotient of terms under alpha equality, thereby facilitating the formalism and proofs. 

2.2. Terms, conditions, and assertions. Formally, a psi-calculus is defined by instanti- 
ating three nominal datatypes and four operators: 

Definition 2.1 (Psi-calculus parameters). A psi-calculus requires the three (not necessarily 
disjoint) nominal datatypes: 

T the (data) terms, ranged over by M, N 
C the conditions, ranged over by ip 
A the assertions, ranged over by ^ 
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and the four equivariant operators: 



T X T C Channel Equivalence 

(8> : A X A — ?• A Composition 

1 : A Unit 

h C A X C Entailment 



and substitution functions [a := M], substituting terms for names, on all of T, C and A. 

As an example, we can choose data terms inductively generated by some signature, 
assertions and conditions to be elements of a first-order logic with equality over these terms, 
entailment to be logical implication, (8) to be conjunction and 1 to be true. 

The binary functions above will be written in infix. Thus, if M and are terms then 
M -H- is a condition, pronounced "M and are channel equivalent" and if ^ and ^' are 
assertions then so is Also we write ^ \- (p, pronounced entails ip'\ for ip) € h. 

The data terms are used to represent all kinds of data, including communication chan- 
nels. Intuitively, two agents can communicate if one sends and the other receives along the 
same channel. This is why we require a condition Af -f^ to say that M and A^ represent 
the same communication channel. For example, in the pi-calculus o is just identity of 
names. 

The assertions will be used to declare information necessary to resolve the conditions. 
Assertions can be contained in agents and represent constraints; they can contain names and 
thereby be syntactically scoped and represent information known only to the agents within 
that scope. The operator ® on assertions will, intuitively, be used to represent conjunction 
of the information in the assertions. The assertion 1 is the unit for (8). 

The intuition of entailment is that ^ \- ip means that given the information in ^, it 
is possible to infer ip. We say that two assertions are equivalent if they entail the same 
conditions: 

Definition 2.2 (assertion equivalence). Two assertions are equivalent, written ^ ~ if 
for all ip we have that ^ \- ip ^ ^' \- ip. 

We can now formulate our requisites on valid psi-calculus parameters: 

Definition 2.3 (Requisites on valid psi-calculus parameters). 



Our requisites on a psi-calculus are that the channel equivalence is a partial equivalence 
relation, that iS) is compositional, and that the equivalence classes of assertions form an 
abelian monoid. In Section [2^ below we will demonstrate that all requisites in Definition 12. 31 
are essential. 

Note that channel equivalence is not required to be reflexive. Thus it is possible to have 
data terms that are not channel equivalent to anything at all, meaning that they cannot be 
used as channels. Also, note that properties such as weakening (\I' h (/? h (p) and 

idempotence (^'Cg)^' — ^) are not required. This means that we can in principle represent 



Channel Symmetry: 

Channel Transitivity: 

Compositionality: 

Identity: 

Associativity: 

Commutativity: 
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non-monotonic logics as well as logics to represent resource use, although these avenues 
remain yet unexplored. A main point of our work is to identify minimal requisites for the 
formal results on bisimilarity to hold, and here neither weakening nor idempotence turns 
out to be necessary. 

2.3. Frames. Assertions can contain information about names, and names can be scoped 
using the familiar pi-calculus operator u. For example, in a cryptography application an 
assertion ^ could be that the a datum represents the encoding of a message using a key k. 
This ^ can occur under the scope of vk, to signify that the key is known only locally. In 
order to admit this in a general way we use the notion of a frame, first introduced by Abadi 
and Fournet |AF01| . Basically, a frame is just an assertion with additional information 
about which names are scoped. The example above where ^ occurs under the scope of k 
will be written [vk)'^ , to signify a frame consisting of the assertion ^ where the name k is 
local. 

In the following a means a finite (possibly empty) sequence of names, ai, . . . ,a„. The 
empty sequence is written e and the concatenation of a and h is written ah. When occurring 
as an operand of a set operator, a means the corresponding set of names {ai, . . . , a„}. We 
also use sequences of terms, conditions, assertions etc. in the same way. 

Definition 2.4 (Frame). A frame is of the form {uh)'^ where 6 is a sequence of names that 
bind into the assertion 'f. We identify alpha variants of frames 

We use F, G to range over frames. Since we identify alpha variants we can always choose 
the bound names freely. 

Notational conventions: We write just ^ instead of {ve)'^ when there is no risk of 
confusing a frame with an assertion, and (8) to mean composition on frames defined by 
(i^6i)^i®(!/62)^2 = {uhih2)^i®'^2 where hi # 62,^2 and vice versa. We write {i>c){{vh)'^) 
to mean {ucb)'^. 

Intuitively a condition is entailed by a frame if it is entailed by the assertion and does 
not contain any names bound by the frame. Two frames are equivalent if they entail the 
same conditions: 

Definition 2.5 (Equivalence of frames). We define h 93 to mean that there exists an 
alpha variant (z^6)^' of F such that fe^v? and ^ \- ip. We also define F ~ G to mean that 
for all if it holds that F h 99 iff G h 93. 

For example {vah)'^ ~ {vha)^ and if then {va)'^ ~ ^. 

To take an example of first-order logic with equality, assume that the term enc(M, A;) 
represents the encoding of message M with key k. Let ^ be the assertion C = enc{M,k), 
stating that the ciphertext C is the result of encoding M by k. If an agent contains this 
assertion the environment of the agent will be able to use it to resolve tests on the data, in 
particular to infer that C = enc(M, k). In other words, if the environment receives C it can 
test if this is the encryption of M. In order to restrict access to the key k it can be enclosed 
in a scope vk. The environment of the agent will then have access to the frame (i/k)^ 

^In some presentations frames have been written just as pairs (b, 'I'). The notation in this paper better 
conveys the idea that the names bind into the assertion, at the shght risk of confusing frames with agents. 
Formally, we establish frames and agents as separate types, although a valid intuition is to regard a frame 
as a special kind of agent, containing only scoping and assertions. This is the view taken in |AF01] . 
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rather than ^ itself. This frame is much less informative, for example it does not hold that 
(vk)^ \- C = enc(M, k). Here great care has to be made to formulate the class of allowed 
conditions. If these only contain equivalence tests of terms, (vk)^ will entail nothing but 
tautologies and be equivalent to 1. But if quantifiers are allowed in the conditions, then by 
existential introduction ^ h 3k. (C = enc{M,k)), and since this condition has no free k we 
get (I'k)^ h 3k. {C = enc{M,k)). In other words the environment will learn that C is the 
encryption of M for some key k. We shall return to examples related to cryptography in 
Section 13.21 

Most of the properties of assertions carry over to frames. Channel symmetry and 
channel transitivity, identity, associativity and commutativity all hold, but compositionality 
in general does not. In other words, there are psi-calculi with frames F, G, H where F G 
but not F^H ~ G®H. An example is if there are assertions ^, ^' and for all names a, 
conditions ip' and for all names o, and where the entailment relation satisfies l~ '■Pa and 
^' h ip' . Suppose composition is defined such that ^'(8'^' = ^ and all other compositions 
yield ^' . By adding a unit element this satisfies all requirements on a psi-calculus. In 
particular (8) is trivially compositional because no two different assertions are equivalent. 
Also (i^a)^„ ~ ^, but '^®{va)^a 9^ "^^^ since ^ffXi^a = ^' H 'p' . 

2.4. Agents. 

Definition 2.6 (psi-calculus agents). Given valid psi-calculus parameters as in Defini- 
tions [2]T] and [231 the psi-calculus agents, ranged over by P,Q,..., are of the following 
forms. 

Nil 

MN . P Output 

M_{Xx)N.P Input 

case pi : Pi W ■ ■ ■ W pn ■ Pn Case 

[va)P Restriction 

P I Q Parallel 

\P Replication 

(\^\) Assertion 
In the Input M_{\x)N .P we require that x C n(A^) is a sequence without duplicates, and 
the names x bind occurrences in both N and P. Restriction binds a in P. We identify alpha 
equivalent agents. An assertion is guarded if it is a subterm of an Input or Output. In a 
replication \P there may be no unguarded assertions in P, and in case pi : Pi \\ ■ ■ ■ \\ pn '. Pn 
there may be no unguarded assertion in any Pj. 

In the Output and Input forms M is called the subject and N the object. Output 
and Input are similar to those in the pi-calculus, but arbitrary terms can function as both 
subjects and objects. In the input M_{\x)N .P the intuition is that the pattern {\x)N can 
match any term obtained by instantiating x, e.g., M(Ax, y)f{x, y).P can only communicate 
with an output M f{Ni, N2) for some data terms Ni,N2. This can be thought of as a gen- 
eralisation of the polyadic pi-calculus where the patterns are just tuples of names. Another 
significant extension is that we allow arbitrary data terms also as communication channels. 
Thus it is possible to include functions that create channels. 

The case construct as expected works by behaving as one of the Pi for which the cor- 
responding Pi is true, case pi : Pi W ■ ■ ■ W pn ■ Pn sometimes abbreviated as case ip : P, 
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or if n = 1 as if ipi then Pi. In psi-calculi where a condition T exists such that \I' h T for 
ah ^ we write P + Q to mean case T : P W T : Q. 

Input subjects are underhned to facihtate parsing of comphcated expressions; in simple 
cases we often omit the underhne. In the traditional pi-calculus terms are just names and 
its input construct a{x) . P can be represented as a{Xx)x.P. In some of the examples to 
follow we shall use the simpler notation a{x) . P for this input form, and sometimes we omit 
a trailing 0, writing just MN for MN . 0. If the object of an Output is a long term we 
enclose it in brackets ( ) to make it easier to parse. 

For a simple example, the pi-calculus |MPW92] can be represented as a psi-calculus 
where the only data terms are names, the only assertion is 1, and the conditions are equality 
tests on names. Substitution is the standard capture-avoiding syntactic replacement of 
names for names. We call this instance Pi, and formally we have: 

T M 

C = {a = b:a,beT} 
A {1} 

def 

O = = 



def 



1 1 

h {{l,a = a) :aeJ\f}} 

We can represent pi-calculus choice using the case statement: the pi-calculus term 
P + Q corresponds to (z^a)(case a = a : P [] a = a : Q), where ai^P,Q, and pi-calculus 
match [a = b]P to if a = 6 then P. We will return to this instance in Section [3l 

We obtain the polyadic pi-calculus by adding the tupling symbols t^ for tuples of arity n 
to T., i.e. T = AAU {tn(Mi, . . . , M„) : Mi, . . . , M„ G T}. The polyadic output is to simply 
output the corresponding tuple of object names, and the polyadic input a(6i, . . . .P 
is represented by a pattern matching a(A6i, . . . , 6n)t„(6i, . . . , bn) ■ P- Strictly speaking this 
allows nested tuples and tuples also in subject position in agents, but as we shall see such 
prefixes will not give rise to any transition, since in this psi-calculus M o M is only entailed 
when M is a name, i.e., only names are channels. 

In a psi-calculus the channels can be arbitrary terms. This means that it is possible to 
introduce functions on channels (e.g., if M is a channel then so is f{M)). It also means 
that a channel can contain more than one name. An extension of this kind is explored by 
Carbone and Maffeis |CM03j in the so called pi-calculus with polyadic synchronisation, ^tt. 
Here action subjects are tuples of names, and it is demonstrated that this allows a gradual 
enabling of communication by opening the scope of names in a subject, results in simple 
representations of localities and cryptography, and gives a strictly greater expressiveness 
than standard pi-calculus. We can represent ^tt by using tuples of names in subject position. 
The only modification to the representation of the polyadic pi-calculus is to extend h to 
|-= {(1, M -H- M) : M € T}, and to remove the conditions of type M = N (since they can 
be encoded in ^vr). 

The data terms can also be drawn from a higher-order formalisms. It is thus pos- 
sible to transmit functions between agents. For example, let T be the lambda calcu- 
lus, containing abstractions Xx.M and applications MN. In the parallel composition 
a (Xx.M) . P I a{z).b{zN).Q the left hand component transmits the function Xx.M to 
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the right, where the apphcation of it to N is transmitted along b. Reduction would be 
represented as a binary predicate over lambda terms and could be tested in psi-calculus 
conditions (the reduction rules would be part of the definition of entailment). In this sense 
psi can resemble a higher-order calculus. It is even possible to let the terms be the psi- 
calculus agents themselves. An agent transmitted as a term cannot directly communicate 
with the agent that sent or received it, but there is a possibility of indirect interaction 
through the entailment relation. This area we leave for further study. 

2.5. Operational semantics. In this section we define an inductive transition relation on 
agents. In particular it establishes what transitions are possible from a parallel composition 
P \ Q. In the standard pi-calculus the transitions from a parallel composition can be 
uniquely determined by the transitions from its components, but in psi-calculi the situation 
is more complex. Here the assertions contained in P can affect the conditions tested in Q 
and vice versa. For this reason we introduce the notion of the frame of an agent as the 
combination of its top level assertions, retaining all the binders. It is precisely this that can 
affect a parallel agent. 

Definition 2.7 (Frame of an agent). The frame J~{P) of an agent P is defined inductively 
as follows: 

J'(O) = T{M{Xx)N.P) = T(MN.P) = T{case ^ : P) = T{\P) = 1 

Hm) = ^ 

F{P I Q) = F{P) F{Q) 
H{^h)P) = {ub)HP) 

For a simple example, if a^^i: 

J^{(\^i\)\{ua){(\^2\)\MN.{\^3\)) = (z.a)(^i»^2) 

Here ^'3 occurs under a prefix and is therefore not included in the frame. An agent where 
all assertions are guarded thus has a frame equivalent to 1. In the following we often 
write (i/6p)^p for J-{P), but note that this is not a unique representation since frames are 
identified up to alpha equivalence. 

The actions a that agents can perform are of three kinds: output actions, input actions 
of the early kind, meaning that the input action contains the received object, and the silent 

action r. The operational semantics consists of transitions of the form ^ [> P P' . 

This transition intuitively means that P can perform an action a leading to P' , in an 
environment that asserts ^. 

Definition 2.8 (Actions). The actions ranged over by a, (3 are of the following three kinds: 

'M{va)N Output, where a C n(A^) 
M N Input 
r Silent 

For actions we refer to M as the subject and as the object. We define bn(M(i/a) A) = 
a, and bn(a) = if a is an input or r. We also define n(T) = and n(a) = n(A) U n(M) 
if a is an output or input. As in the pi-calculus, the output M(iyd)N represents an action 
sending N along M and opening the scopes of the names d. Note in particular that the 
support of this action includes d. Thus M{va)a and M{yb)b are different actions. 
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M ^ K M ^ K 

In — — ~ Out 



^ > M{Xy)N.P p[y := L] ^ > MN.P ^ P 

^ > Pi ^ P' ^'^ ifi 



Case 



^ \> case ip:P P' 



%(8)^' > P ^""-^ > P' ^-p®* [> Q Q' ^®^p®^o h M <^ K ^ 
Com a#(5 

^ > P\Q ^ {ua){P' I Q') 

^O®^ > P P' ^ > P P' 
Par — bn(a)#Q Scope 5- 

^ > P ^ > P' b#a, ^, Af ^ ^ > P IP ^ P' 
Open _ ^ _ ^ ^ , , Rep 

q, ^ ^j,b)P A/ {uaU{b})N^ p, b e n(7V) ^ ^ ,p ^ 

Table 1: Operational semantics. Symmetric versions of Com and Par are elided. In the 
rule Com we assume that T{P) = {ubp)'^p and T{Q) = (z/6q)^'q where bp is 
fresh for all of ^,bQ,Q, M and P, and that bq is correspondingly fresh. In the 
rule Par we assume that J-{Q) = {vbQ)'^Q where bq is fresh for ^,P and a. In 
Open the expression a U {6} means the sequence a with b inserted anywhere. 

Definition 2.9 (Transitions). A transition is of the kind ^ [> P P', meaning that 
when the environment contains the assertion ^ the agent P can do an a to become P'. The 

transitions are defined inductively in Table [TJ We write P P' to mean 1 [> P 

P'. In In the substitution is defined by induction on agents, using substitution on terms, 
assertions and conditions for the base cases and avoiding captures through alpha-conversion 
in the standard way. 

Both agents and frames are identified by alpha equivalence. This means that we can 
choose the bound names fresh in the premise of a rule. In a transition the names in bn(a) 
count as binding into both the action object and the derivative, and transitions are identified 
up to alpha equivalence. This means that the bound names can be chosen fresh, substituting 
each occurrence in both the object and the derivative. This is the reason why bn(a) is in 
the support of the output action: otherwise it could be alpha-converted in the action alone. 
Also, for the side conditions in Scope and Open it is important that bn(a) C n(a). In 
rules Par and Com, the freshness conditions on the involved frames will ensure that if a 
name is bound in one agent its representative in a frame is distinct from names in parallel 
agents, and also (in Par) that it does not occur on the transition label. We defer a more 
precise account of this to Section [6l 

The environmental assertions ^ t> ■ ■ ■ in Tabled] express the effect that the environment 
has on the agent: enabling conditions in Case, giving rise to action subjects in In and Out 
and enabling interactions in Com. Thus ^ never changes between hypothesis and conclusion 
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except for the parallel operator, where an agent is part of the environment for another agent. 
In a derivation tree for a transition, the assertion will therefore increase towards the leafs 
by application of Par and Com. If all environmental assertions are erased and channel 
equivalence replaced by identity we get the standard laws of the pi-calculus enriched with 
data structures. 

In comparison to the applied pi-calculus and the concurrent constraint pi calculus one 
main novelty is the inclusion of environmental assertions in the rules. They are necessary to 
make our semantics compositional, i.e., the effect of the environment on an agent is wholly 
captured by the semantics. In contrast, the labelled transitions of the applied and the 
concurrent constraint pi-calculi must rely on an auxiliary structural congruence, containing 
axioms such as scope extension {ua){P \ Q) = {va)P \ Q if a^Q. With our semantics such 
laws are derived rather than postulated. The advantage of our approach is that proofs of 
meta-theoretical results such as compositionality are much simpler since there is only the 
one inductive definition of transitions. 

Substitution enters the semantics at one point only: the law In which defines the effect 
of an input. Returning to the substitution laws in Section [2.11 it is easy to motivate Law 2: 
it is needed to make sure that alpha equivalent agents have the same transitions. Law 1 
has a more involved motivation related to the fact that the objects of transition labels must 
record all received names, otherwise we lose the principle of scope extension. To see this, 
let 1 h M o M, 6#M, N, and 

R = M{\x)N . x{y) . | {vh)hc . 
The only transitions from R are 

R ^^^^■■=^\ {x{y).0)[x -.= 1] I {ub)bc.O 

for all L. Here there is no communication possible between the two components, even if 
L = b. In contrast, consider 

T = {ub){M{Xx)N . x{y) . | 6c . 0) 

T is obtained from R through scope extension. Without Law 1 we can have b#N[x := b] 
which means that through ScOPE there is a transition 

T M^E^ (i.6)(5(y).0) \bc.O) 

which can continue with an interaction between the components. R and T therefore do 
not behave the same. The culprit is the transition from T which corresponds to a scope 
intrusion, i.e. the reception of a name which is already bound in the receiving agent. To 
prevent such transitions the law ScOPE has a side condition that the bound name may not 
occur in the transition label. For this side condition to be effective. Law 1 guarantees that 
a received name actually appears in the label. 

2.6. Illustrative examples. For a simple example of a transition, suppose for an assertion 
\I' and condition if that ^ \- ip. Assume that 

V^'.^-' > Q ^ Q' 

i.e., Q has an action a regardless of the environment. Then by the Case rule we get 

^ \> if if then Q ^ Q' 
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i.e., if ip then Q has the same transition if the environment is ^. Since = ^ and 

^(8)1 = ^f, if bn(a)#^' we get by Par that 

1 > ^^-1) I if (/J then Q ^ Q' 

Data terms may also represent communication channels and here the channel equiv- 
alence comes into play. For example, in a polyadic pi-calculus the terms include tuples 
and projection functions with the usual equalities, e.g. 7ri(t2(a,6)) = a. If these terms can 
represent channels then they must represent the same channel, consequently we must have 
^ h 7ri(t2(a, &)) ^ a for all ^. As an example, 

aiV.P I vri (t2(a, 6) ) (y).Q ^ P\Q\y:=N\ 

Agents such as 7ri(t2(a, 6)) (y) .Q can arise naturally if tuples of channels are transmitted 
as objects. For example, an agent that receives a pair of channels along c and then inputs 
along the first of them is written c{x) . tti (x) (y) . Q. When put in parallel with an agent that 
sends t2(a, 6) along c it will have a transition leading to the agent where x is substituted 
by t2(a, 6), i.e. 7ri(t2(a,&)) (y) ■ Q. 

The semantics makes no particular provision for an equality of terms in object position. 
Thus, the agents ca.P and C7ri(t2(a, 6)) . P have different transitions, and correspond to 
sending out the unevaluated "texts" a and 7ri(t2(a, &)) respectively. To represent agents 
which send evaluated "values" we can do as in the applied pi-calculus where assertions 
declare equivalence of terms and agents send freshly generated aliases, e.g. 

{vz){cz.P\ (|z = 7ri(t2(a,6))D) 

This agent has the same transition as {uz){cz . P \ (\z = a|)). Any agent receiving the z 
will not be able to distinguish if z is a or 7ri(t2(a,6)) since these terms are equated by all 
assertions. Also, if a and h are scoped as in 

{ua,b,z){cz.P\ Oz = 7ri(t2(o,6))^) 

then their scopes will not open as a consequence of the output. In the applied pi-calculus 
this is the only form of communication and it is not possible to directly transmit data 
structures containing channel names, like the name tuples of the polyadic pi-calculus above. 
In psi-calculi these communication possibilities can coexist. 

The main technical issue in the semantics is the treatment of scoping, as illustrated 
by the following example where the terms are just names. The intuition is that there is a 
communication channel available to all agents, and agents can declare any name to represent 
it through an assertion. The assertions are thus sets of names, and any name occurring in 
the assertion can be used as the subject of an action. Any two names in the assertion are 
deemed channel equivalent. Formally, 

N 

{a o 6 : a,6 e T} 

u 



{(^',o o 6) : a,6 e ^} 



T 
C 
A 

® 
1 

h 



dot 
def 
def 
def 
def 
def 
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Omitting the action and prefix objects we get 

{a,b} \>a.O 

and also 

{a,b} >a.O A 

By the Par rule we have 

0>a.OM{a,6}D A 0\(\{a,b}\) 

and 

[> a.O I (\{a,b}\) A | (\{a,b}\) 
Applying a restriction we get 

> {ua){a.O I (\{a,bm A {ua){0 \ (\{a,bm 

but no corresponding action with subject a because of the side condition on Scope. Thus, 
a communication through COM can be inferred from 

(z^a)(a.O I (!{«,&}[)) I 6.0 

but not from 

{ua){a.O I (\{0',b}\)) \ a.O 
This instance of a psi-calculus also illustrates two features of the semantics: firstly that 
channel equivalence is used in all three rules In, Out and COM, and secondly that assertions 
rather than frames represent the environment. Both issues are related to the law of scope 
extension. Elaborating the example above and noting that {a} U {6} h a -f^ 6, we get that 

{ua,b){m\)\m\)\a.O\b.O) 

has an internal communication. By scope extension this agent should have the same tran- 
sitions as P \ Q where 

P = {uam{a}\)\a.O) Q = {ubmb}\) \ b ■ 0) 

Here T{P) = (z/a){a} and J^{Q) = {i'b){b} are alpha equivalent. Since they will be com- 
posed below we choose different representatives for the bound names. A communication 
from P \ Q is inferred by COM and the premises 

1. {b}^p 1^ M(^WD I 0) 

(derived using {a} (g) {b} = {a, 6} h a o 6 in Out) 

2. {a}t>Q ^ {i^bmm I 0) 

(derived using {6} {a} = {a, 6} h a o 6 in In) 

3. {a} (g) {b} = {a,b} \- a <^ b 

Note how the action subjects are derived by the assertions in both cases to not clash with 
the binders, and that channel equivalence is necessary in all three rules. 

The same example demonstrates why transitions in Table [1] are defined with assertions 
and not frames, for whereas {a, b} \- a <^ b the corresponding result cannot be obtained from 
the frames of the agents. We have that T{Q) (8) {a} = (i^6){a, 6} F a o 5, so that frame is 
not useful for deriving a transition from P. Our earlier attempt |JPVB08] erroneously used 
frames rather than assertions, and this means that scope extension does not hold unless a 
further condition is imposed on the entailment relation to eliminate this kind of example. 
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We close this section by demonstrating why the requisites in Definition l2.3l are necessary: 
omitting any of them would lead to a calculus that does not satisfy fundamental properties 
of the parallel operator. Compositionality and the abelian monoid laws in Definition 12.31 are 
straightforward in this respect since without them the corresponding properties of parallel 
composition on agents do not hold. For example, we will want parallel composition to be 
commutative in that the agent P \ Q behaves the same as Q | P in all respects. At the 
very least this implies that their frames entail the same conditions (it may also imply other 
things not important for this argument), which means that (8> must be commutative for 
assertion equivalence. In a similar way the other requisites on (8) are necessary for parallel 
operator to be compositional, associative, and have as identity. 

To demonstrate that channel equivalence must be symmetric, consider any psi-calculus 
where 'J/i and are such that ^'1(8)^2 \~ a -H- b and ^i0"^2 ^ b -H- b. We shall argue that 
also ^i(8>^'2 h 6 o a must hold, otherwise scope extension does not hold. Consider the 
agent 

ii^a,b)i(\^i\) I (\^2\) I a.O I 6.0) 
which has an internal communication r using b as subjects in the premises of the Com rule. 
If b^^i and a#^2) by scope extension the agent should behave as 

{ua)mi\)\a.O) I {i^bm2\)\b.O) 

and therefore this agent must also have a r action. The left hand component cannot do 
an a action, but in the environment of ^'2 it can do a 6 action. Similarly, the right hand 
component cannot do a 6 action. The only possibility is for it to do an a action, as in 

^-1 > {jyb){(\^2\) I 6.0) ^ ••• 

and this requires ^'i®^2 H 5 -H- a. 

Finally, we motivate the requisite that o must be transitive. Let 1 entail a -H> a for all 
names a, and let ^ be an assertion with support {a, b, c} that additionally entails the two 
conditions a -H- b and b <^ c, but not a O c, and thus does not satisfy transitivity of channel 
equivalence. If ^ entails no other conditions then (i/b)^ ~ 1, and we expect (z^6)(|^^ to be 
interchangeable with (]1D in all contexts. Consider the agent 

a.O I c.O I ii^b)(\^\) 

By scope extension it should behave precisely as 

(z^6)(a.O I c.O I d^^) 

This agent has a r-transition since ^ enables an interaction between the components a . 
and c . 0. But the agent 

a.O I c.O I 

has no such transition. The conclusion is that (vb)^ must entail that the components can 
communicate, ie. that a -H- c, in other words ^' h a -H- c. 

3. Expressiveness and related calculi 

In this section we explore the expressiveness of psi-calculi, mainly in comparison to 
other process calculi. 
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3.1. The pi-calculus. In Section 12.41 we saw the instance Pi which corresponds to the 
pi-calculus. We will now make the relationship formal. The pi-calculus under consideration 
is the standard pi-calculus with replication instead of recursion, without mismatch, and 
without a rule for structural congruence in the semantics. The encoding of a pi-calculus 
agent P into Pi, [-Pjp;, is defined as: 

lOlpi = 
H.Plpi = a6.[Plpi 
[a(x).Plpi = a{Xx)x.{P\^, 

{P\QU = MpillQlpi 
pPlpi = ![Plpi 

|(z.a)Plpi = (^«)Mpi 
[[a = 6]P]pj = case a = 6 : [Pip; 
{P + Qlpi = (i/a)(case a = a : [P]pi Q a = a : [QJp;) where a#P, Q 

To prove that P and l-Pjp; have the same transitions the following two lemmas about 
substitutions and support are needed. We use the standard definition of substitution in the 
pi-calculus, replacing free names for new ones, a-converting as necessary to avoid capture. 

Lemma 3.1. If P is a pi-calculus agent, then \P\-p-^[x := b] = \P[x := fe]]pi. 

Proof. Straightforward induction over the structure of P. □ 

Lemma 3.2. If P is a pi-calculus agent, then n(P) = n(|P]pj). 

Proof. Straightforward induction over the structure of P. □ 
Let a be a pi-calculus action. We define the encoding of a into psi-calculi actions as: 



la&lpi 


= ab 


[a{ub)bjp, 


= a{yb)b 


I«^lpi 


= ab 


Hpi 


= T 



We denote a pi-calculus transition as P -^tt P'. We then have the following relation 
between the pi-calculus agent P and the Pi agent [-Pip;: 

Lemma 3.3 (Transitions in Pi and the pi-calculus correspond). If P is a pi-calculus agent, 
then 

ifP P' then [Pip; [P'lpi 

and 

if Mpi ^ P" then P P' where [ajp; = a and {P'jp. = P" . 

Proof. The proof is by induction over the length of the derivation of P -—^-e P' and 

I-^lpi 1 respectively. As an illustration, one induction case is shown: the case when 

the pi-calculus transition is derived with tt-Close: 

p IM^^ p' Q Q' 

tt-Close b ^ fn(Q) 

P\Q ^E {iyb){P' I Q') 

By induction it follows that [P]pi [P'lp; and that [Qlpj ^ IQ'lp;. Since there 

is only one assertion in Pi, the frames of [Pjp; and [QJp; will be equivalent to 1. We 



16 



J. BENGTSON, M. JOHANSSON, J. PARROW, AND B. VICTOR 



choose the frames so that their bound names are sufficiently fresh according to rule Com. 
It trivially holds that 1 \- a = a, and by definition in Pi we have that 1(8)1 = 1, so also 
l(g)l(g)l h a = a. Since b ^ fn(Q) (i.e. b#Q) it follows from Lemma [32] that 6#|g]pj. We 
now derive the following: 

101 > iPip; rip; 

Com &#[Qlpi 

1 t> [Plpi I igip; ^ (^b)(lP'lpi I IQ'lpi) 

By definition we have that {P \ Qjp. = {Pjp. | {Qjp., and that I(z^6)(P' | Q')lpi = 
(i^6)([P']pj I [Q']pi), and that [a(z^6)6]pi = a{vh)h^ so in other words we have that 

IP I QJp. ilU I Q')Jp.. □ 

In Section [5] we shall see that strong bisimulation in the pi-calculus and in Pi coincide. 



3.2. Calculi for cryptography. Psi-calculi can express a variety of cryptographic oper- 
ations on data. The main idea was illustrated in Section 12. 3| using assertions to define 
relations between ciphertext and plaintext. Here we make the description more precise. 
Let the assertion "C = enc(M, A;)" mean that encrypting the message M with the key 
k results in the ciphertext C, and let "M = dec(C, /c)" mean that decrypting C with 
key k yields M. Entailment contains equations relating encryption and decryption such as 
VM, k. dec(enc(M, k),k) = M . The point is that a secure key can be represented by a bound 
name: it is unguessable outside its scope. An example agent aC . {vk){(\C = enc(M, k)\j \ P) 
outputs a term C and asserts that it is the encryption of M using the bound k as key, with- 
out opening the scope of k. Therefore an agent receiving C can resolve the condition 
dec(C, k) = M only after receiving this /c in a communication. Technically this is because 
of the freshness conditions in the Par rule in Table [J where bq is assumed fresh for P: this 
means that to apply the rule, P cannot use any name bound in the frame of Q. 

This closely resembles the situation in the applied pi-calculus [AFOlj . By contrast, 
in the spi-calculus |AG99j encrypted messages such as enc(M, k) are transmitted directly. 
Consider an example spi-calculus process 

P = {uk, 7n)a{enc{m, k)) . P' where P' = b{x) . if x = m then c (3.1) 

Here P sends a fresh name m encrypted with a fresh key k to the environment, and then 
receives a value x. Assuming perfect encryption, the environment cannot know m or k, 
so P' cannot receive m along b, and the output on c will never be possible. However, in 
the spi-calculus the transition P ('^^''")°(^"^("^'^))., p' opens the scopes of k and m, so here 
scoping does not correspond to restriction of knowledge. A reasonable equivalence must 
explicitly keep track of which names are known, leading to several complex bisimulation 
definitions (see |BN05j for an overview). 

The applied pi-calculus is data terms and an equational theory \—£ over S, and, more 
importantly, introduces active substitutions {^^x} of data terms for variables. These can be 
introduced by the inferred structural rule {i^x){{^/x} \ A) = A[x := M]. There are names 
a, b, c distinct from variables x, y, z where only variables can be substituted, and a simple 
type system to distinguish names and variables of channel type from other terms of base 
type. Only names of channel type can be used as communication channels. Structured data 
terms cannot be sent directly, instead an alias variable such as x must be used, and the 
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term itself does not occur on the transition label. We have P = Q for P above in (I3.ip . 
where 

Q = {lyx, k, m)(f "^('"'^Vx} I ax . P') (3.2) 

Here Q "'^^^^^) {i/k,m){{^"'^^^'''^^/x} | P') and only the alias of the encryption (its "value") 
appears on the label; the scope of k and m is not opened and in this sense they are still 
confidential to the environment. However, the labelled semantics does not allow sending 
structured data terms where the scope should be opened, such as a tuple of names in the 
polyadic pi-calculus. 

The labelled semantics for applied pi turns out to be non-compositional. Consider the 
closed (extended) applied pi-calculus agents 

^ = (H({7,} |x.6.0) 5 = (H({7x} I 0) (3.3) 

where we omit the objects of the prefixes. They have the same frame and no transi- 
tions, and are thus semantically equivalent. But a context can contain x and can there- 
fore use the active substitution to communicate with A. Formally, let R = x.O and 
-Ij- h the usual weak observation or barb. We have by scope extension that A \ R = 
(;yo)({%} I x.6.0 I x.O) J| 6, but it is not the case that B \ R ^ h. Therefore, no 
observational equivalence that is preserved by all contexts and satisfies scope extension can 
be captured by the labelled semantics. In this. Theorem 1 of [AFOlj is incorrect; the la- 
belled and observational equivalences do in fact not coincide, nor is labelled equivalence a 
congruence. This is relevant for other papers that use or develop the labelled semantics, 
e.g. IGLPT071 lKR05l IDKR071 ICRZ071 IGodlOj . 

Possible fixes are to disallow aliases for channel names, to be satisfied with composi- 
tionality for closed contexts, or to allow variables in action subjects. The consequences are 
difficult to assess, and our proposed solution is to instead define a psi-calculus. 

A complication when defining a psi-calculus to correspond to the applied pi-calculus is 
that bisimulation there is only defined on closed agents, and removing this restriction yields 
a non-compositional theory. The source of this non-compositionality is the requirement 
that active substitutions must be acyclic. Assume that the equational system includes 
the identity f(?/) = ^{z). We then get that {^^^V^^} is bisimilar to {^^^Vi'}' but only one 
becomes circular when composed with {^/y}- In psi-calculi, no notion of closedness exists, 
and compositionality is required. For these reasons we cannot exactly capture the applied 
pi-calculus. 

We define the instance APi as follows (this presentation corrects a mistake in |BJPV09] ). 
Since our names and terms are untyped we add constructs for channels, Ch(M), for vari- 
ables, Var(x), and for names which are neither channels nor variables, Nonce(A;). We extend 
hs so that hs Ch(M) = Ch(M) for all M e T, hs Nonce(a) = Nonce(a) for all a e 7\A, and 
hs Var(x) = Var(x) for all x £ M. Furthermore we define EQN({*'^VArj}, . . . , {^V-WnD to 
be the set of equations {Mi = A''i, . . . , M„ = Nn}- Substitution on terms is defined in the 
expected way except for terms of kind Var(x) and Nonce(a). For terms of these kinds we 
have that Var(x)[x := M] = M and Nonce(a)[a := M] = M. A term M is ground if it has 
no subterms of kind Var(x). We write l~x;uE' for the equational theory hs extended with 
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the equations from h^'- 

T = A/'U{Nonce(fc) : A; € A/'}U{Var(a;) : X G AA}U{Ch(A/) : M e T}U 
{f(Mi,...,M„):fGSAAf:, gT} 

C =^ {M = N, ^{M = N),M N : M,N £T} 

A = VU{{^'/N}:M,NeT})} 



M = N a hsuEQNC*) M = N 
^ \- ^{M = N) if there exists ground M', N' such that 

'~SUEQN(*) M = M', 

^suEQNC*) N = N', and 
^(^' h M' = N') 
^ h M <^ N if h M = N A3c : h M = Ch(c) 

Assertions are finite sets of active substitutions of the more general form {^^n}, ^ is 
union, and entailment deduces equality under the equational theory with equations added 
to represent the active substitutions. The conditions are as for the applied pi-calculus 
except for -i(M = N) which is needed to represent the if M = then P else Q construct 
of applied pi as case M = N : P W -i(M = A^) : Q in APi. As in applied pi, the terms 
compared for inequality need to be ground. Channel equivalence M N requires that 
there is a channel name equal to both M and N . 

To see that this is a proper instance we must check that the substitution function is equi- 
variant and respects the freshness and a-equivalence properties, as described in Section [2Tl 
Furthermore it must satisfy the requirements from Definition 12.31 That the substitution 
function has the required properties is shown in Section [2. 11 and the special cases for Var(a;) 
and Nonce(o) pose no additional problem. Channel symmetry and transitivity hold since 
the underlying equational theory is symmetric and transitive. Identity, associativity, and 
commutativity hold since union has these properties. Compositionality holds assuming that 
the equational system is compositional, i.e if VM, A'" : h^i M = N ^ M = N implies 
VM, N : hsius' M = N ^ HsjUE' M = N. 

The encoding [^J^p; of an applied pi agent A into APi is homomorphic with the 
following exceptions: 

1*^1 APi ~ Ch(a) if the name a is of channel type and not a binding occurrence 

[■^Iapi ~ Var(x) if the variable x is not a binding occurrence 

I^Iapi ~ Nonce(A;) if the name k is not of channel type or a binding occurrence 

Note that in translations of applied pi-calculus agents and their derivatives, the only form 
of active substitutions will be on the form {^Vvar(2,')}- Also the only substitutions will be of 
variables. We allow for the general form of active substitutions {^/n} and substitution of 
channels and nonces simply to make the substitution function total as required. We adhere 
to the applied pi convention that channel names are ranged over hy a, b,c, ... , nonces are 
ranged over by k,l,m, . . . , and variables are ranged over hy x,y, z, . . . . For readability, in 
the following we omit the constructs Ch(a), Nonce(A;), and Var(x), and just write a, k, and 
X, also in APi-agents. 
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APi differs from the applied pi-calculus in some ways. Requirements on the active 
substitutions in applied pi are that they can only contain one active substitution per vari- 
able, and that the active substitutions are non-circular. Furthermore they do not occur 
under prefixes, conditionals, or replication. The instance APi does not have these limi- 
tations, but the most important difference is that in APi (and in psi-calculi in general), 

aM . P -^^^ P corresponds to sending the cleartext of M directly. This is not possible in 
the applied pi-calculus. In order to transmit M in the applied pi-calculus the structural 
rule /x} I A) = A[x := M] must be used and an alias x for M be sent. To send an 

alias in this way in APi it must be introduced explicitly, as in 

^{*7x}[) \ax.P, and this 

agent is not the same as aM . P. 
Therefore, although the agents 

P = {uk, m)a{enc{m, k)) . P' 

and 

Q = {vx, k, m)({^"^("'^'Vx} I ax . P') 
(from equations (j3.ip and (j3.2p ) are the same in the applied pi-calculus, the APi counter- 
parts of the agents are different. In APi, P in ()3.ip represents an agent that emits the 
cleartext "enc(m, /c)". Any agent that receives this will immediately learn both m and k, 
and any scope of k will be opened in the process. This kind of agent can only indirectly be 
represented in the applied pi-calculus, by sending the restricted names separately one at a 
time. In contrast, the APi counterpart of ()3.2p \s Q = (z/x, A:, m)((|{^"'^('"''^)/j,-}|) I ax.P') 
and defines Q to emit an alias for enc(m, k). As in the applied pi-calculus since k is scoped 
a recipient will not learn m. If the same recipient later receives k, an alias u for the message 
m can be constructed as (]{^"^(^''=V«}D- 

Similarly, the agents Ri and R2 below are equivalent in applied pi, but the corresponding 
agents in APi are different. 

Ri = (i/x,A;,m)(f"^(™''=Vx-} I aa;.ax.P') 

i?2 = {vx,k,m){{-"-^^^^)/.,]\{vy){{-/y}\ax.ay.P')) 

In the applied pi-calculus, a new alias for a term can always be introduced "on-the-fly", 
and it is impossible to tell i?i and R2 apart - they are structurally equivalent. The psi- 
calculus approach gives the possibility to discern the two agents, similarly to how the same 
ciphertext bitstring sent twice can be identified even if the plaintext cannot be recovered. 
To avoid this, a new alias needs to be explicitly introduced for each transmission, mimicking 
a probabilistic crypto where different ciphertext bitstrings correspond to the same plaintext 
and key. 

Thus in psi-calculi, communication objects can range from literal data terms to indirect 
references, giving the user of the calculus the possibility to choose the appropriate form. 
Another difference between the calculi is illustrated by the agent A of the composi- 

tionality counterexample (j3.3p : Its counterpart Pa in APi is ('^a)((|{%}|) | x.b.O) 

T b 

(i^a)((|{%}D I 6.0) and is not equivalent to (i^a)((|{%}[) j 0); indeed also Pa \ x.O — > — > in 
our labelled semantics. 

In Section [4. 21 we present a simpler psi-calculus for expressing cryptographic examples. 
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3.3. Fusion and concurrent constraints. 

3.3.1. Fusion. The concept fusion means that communication can result in pairs of names 
being "fused together" in the sense that they can thereafter be considered the same. Fusion 
was independently developed by Fu |Fu97| (the x-calculus), Farrow and Victor |PV98j (the 
fusion calculus), and by Wischik and Gardner |GW001 IWG05j (the pi-F calculus). The 
fusion primitive was also encoded in the asynchronous pi-calculus by Merro [Mer98j . using 
equators. In psi-calculi, fusion can be formulated in a way reminiscent of the equator 
encoding: the assertions are equivalence statements between names (cf. explicit fusions or 
equators). A simple psi-calculus with fusion, call it Fi, would be the following: 

T M 

C =^ {a = b:a,beT} 

A =^ {{ai =bi,...,an = bn} : a-i eM,bi eM} 



dcf 
dcf 
dcf 



u 



1 

\- a = b if {a,b) e eq{^) 

where eq(^') is the equivalence closure of ^ (i.e. transitive, symmetric and reflexive closure). 
Thus terms are names, assertions are name fusions, and the entailment relation deduces 
equality between names based on fusion assertions treated as equivalence relations. We 
can verify that this is indeed a valid psi-calculus: the substitution properties are proved in 
Section [27H and we just need to investigate the requisites of Definition 12.31 Transitivity and 
reflexivity of the channel equivalence follows from the same properties of =; commutativity, 
associativity and identity follow from the same properties of U. For compositionality, let 
and ^'2 be two equivalent assertions. This means eq(^'i) = eq(^'2); we must show that for 
any we have eq(^'iU^'3) = eq(^'2U^'3). Using the fact that eq{ALIB) = eq(eq(A)US), 
we have eq(^'i U ^'3) = eq(eq(^'i) U ^'3) = eq(eq(^'2) U ^'3) = eq(^'2 U ^'3). 

In the x-calculus, fusion calculus, and pi-F calculus, input and output prefixes are 
completely symmetric and in particular the input is not binding. An example transition in 

the pi-F calculus (using the syntax of [WisOlj ) is ab . P \ ad. Q b=d \ P \ Q where b=d 
(for b and d of equal length) is a fusion which allows us to treat each bi ^b as equivalent to 
di € d. Inputs in Fi can still be binding, and we can represent the non-binding pi-F input 
ab .P as a(c) . ((|{6 = c}|) | P) where c^ab . P. For example, the pi-F communications 

ab .cc. P I ac.bd .Q b=c \cc.P\bd.Q b=c \ c=d \ P \ Q 
are expressed as: 

a{e).{(\{b = e}\)\cc.P) \ ac . b{x) . {(\{x = d}\) \ Q) 

^ [{\{b = e}\)\-cc.P)[e:=c] \ b{x) . {I\{x = d}\) \ Q) 
= (\{b = c}\)\-cc.P I b{x).{(\{x = d}\)\Q) 

^ ^{b = c}\)\P I [(\{x = d}\)\Q)[x:=c] 
= <\{b = c]\)\P I (\{c = d}\)\Q 

Below, we establish an operational correspondence between the pi-F calculus and Fi. 
Our presentation does not include the full details of the pi-F semantics, instead we refer 
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to |WG05] . The syntax used there differs a httle from that used in the examples above: most 
notably, a prefix written ax.P above is instead written a.{{x) \ P) (and symmetrically 
for inputs); here (x) is a vector of datums and the parallel composition operator is not 

symmetric for datums. Input and output transitions in are on the form P P' where P' 
is on the form {vc){{x) \ P) and c C x. For ease of reading, we write {x)P for ((x) | P) 
below. 

The encoding of pi-F processes into Fi is as follows: 

[a.(6)PlFi = a(c).(^{6 = c}|) I iPlpi) where c#a6.P 
la. (c) Pip; = ac.lP}^, 

P=ylFi = ^{x = m 

and is homomorphic for the other operators. To encode e.g. a. {uc){c)P we first rewrite it 
to the structurally congruent process {vc)a . {c)P (where a). 

In |WG05j ■ two labelled transition semantics are defined for pi-F and proved to coincide: 
the quotiented and the structured semantics. The first has a traditional rule for using 

structural congruence (=) to derive transitions: if Q = P P' = Q' then Q Q'. The 
second semantics has a similar rule but which only allows = to be used after the transition: 

if P P' = P[ then P P[. In psi-calculi there is no such structural rule. For the 
operational correspondence, however, by the lemma below we can select a suitable structural 
representative of the pi-F process. 

Lemma 3.4. In the quotiented semantics of pi-F, if P P' with a deduction tree of 
depth n, there is a deduction tree for the transition of depth no larger than n which uses 
structural congruence only in its last deduction, or not at all. 

Proof. By induction over n. □ 

In the proof below, we make use of the fact that weakening holds in Fi: if ^ h then 
^'(g)^'' h ip, and thus in particular 1 \> P P' imphes \> P P' . 

Proposition 3.5. In the quotiented semantics of pi-F, 

(1) If P {vc){x)P' with c Q X and a^c, then there exists a Q s.t. Q = P and 1 [> 
IQhi Q' and 3P" : P' = P" and Q' = [P'^pj. 

(2) If P {vc){x)P' with c Q X and a^c, then there exists a Q s.t. Q = P and 1 [> 
IQlFi ^ (^c)((|{x = m I Q') and 3P" : P' ^ P" and Q' = {P"}^,. 

(3) IfP^P' then there exists a Q s.t. Q = P and 1 > {Qjp. Q' and 3P" : P' = P" 
and Q' = [P"]pi. 

Proof. By Lemma 13. 4| without loss of generality we can assume that the transition of P 
in the premise can be deduced also for Q without using the transition rule for structural 
congruence. The proof is then by induction on the depth of the deduction, matching each 
operational rule of pi-F with a rule in psi. 

(1) Base case: P = a. Pi and P Pi where Pi = {vc){x)P' with c C x. We proceed 
by induction over the length of c. The base case is when Pi = (i)P', and [Pjpj = 

a5. [P']pi. Then 1 [> |P]pi ^ [P'lp;. In the induction case, P = {vc)a . {S:)P' = Q 
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with a#c. Then [QJp; = (z^c)ax. [i^'lp; and by a sufficient number of uses of Open, 

1 > [QlFi ^ iP'h-r 

Induction: we show the case for the parallel rule. Here P = Pi \ P2 and Pi 
{uc){x)P{, so Pi I P2 A (z/c)(x)(Pi' I P2) with c#P2. By induction, 1 > [Pjp; 
Q'l, and by Par (and weakening) also 1 [> [Pilpi j [-P2lFi "'^'^^^^) Q[ \ [P2]Fi) since 

C#lP2lFi. 

(2) Similar to the output case, using Scope instead of Open for the induction over c. 

(3) Base case: P = a . Pi \ a.P2, where Pj = {vci){xi)Pl with Cj C Xj, for i G {1,2}, 

and ci#(x2)P2 and vice versa. Then P (i^ciC2)(x'i=af2 | P{ | P2). By induction, 
1 [> la.PilFi ^(^^^ Q; and 1 [> [a. Palp; ^ (i^C2)(^{xi = xsjD I Q'2), and 1 > 

IAIfI I I^2lFi ^ (^^C1C2)((|{X1 = X2}^ | Q'l \ Q',). 

Induction case: straight-forward, using corresponding operational rules. □ 

For the correspondence in the other direction, we use the structured semantics of pi-F, 

which has a rule to rewrite labels: if P P' and P h a = /3, then P P', where P \- if 
if the pi-F correspondent to the frame of P entails ip. This is similar to the rewriting done 
in psi-calculi, in the prefix and communication rules. 

A transition in psi uses an assertion which needs to be part of the process in pi-F; 
below we write |^']^^ for the obvious mapping from Fi assertions to pi-F fusions. In the 
proofs below, we use results from Section [521 s-^d write P = Q for two psi-calculus agents if 
they can be proved equal by only Theorems 15.71 and 15.81 which correspond to the standard 
structural congruence. 

Proposition 3.6. 

(1) If^O |P|Fi P' then I P A {uc){x)Q and 3Q' : Q = {^-^ \ Q' and 

P' = [Q'lFi 

(2) //^ t> [P]Fi ^= {t^c){(\{x = y}\) I P') where cOy then {^j'^ \ P ^ {i^c){y)Q and 
3Q':Q= I Q' and P' = IQ%, 

(3) If^ > [Plpi ^ P' then l^-r^ \ P and^Q' ■.Q = [^p^ | Q' and P' = IQ%.. 

Proof. By induction over the derivation of the psi-calculus transition. We sometimes use 
|WG051 Lemma 11] to restructure a pi-F agent before the transition (P = Pi P' implies 
P P'), and idempotence of fusions. 

(1) Base case: ^ [> [Pip; ^ P' by the Out rule. Then P = . Q and ^ [> [PJf; ^ [QIfi 
where ^ h a o 6, thus in pi-F [^'J"^ | P {x)Q and [^|~^ | P h a = 6 so 

Induction: we show the case for Open. Here [Plpi = (^^c)[Pi]f; and ^ > iPilp; 
(z^e)P' s.t. c#e,^,a and c G n(x), and by Open ^ > (z^c)[Pi]pi (z^ce)P'. By 
induction \ Pi A {ve)Q, and thus (i^c)([[*r^ | Pi) A {vce)P', and also 

I^r^ I (z.c)(Pi) A (z.ce)P'. 
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(2) Base case: ^' > [P]pi ^ P' by the In rule. Then P = 6y . Q and ^' [> [Pip; (|{5 = 

y}\) I IQJf-i where ^' h a o 6, thus in pi-F l^-]"^ | P (y)([^r^ | Q) and as above 

equally I^r' I ^ Q)- 

Induction: we show the case for Par. Here {Pjpi = I-Pilpi I [-P2]Fi and > 

lAlpi ^= (^c)((|{x = y}|) I Pi) and by induction m^p^jJ'Y' I A ^ 
(i/c)(y)Qi, where c C y and 3Q' : Q = d^]"^ j Q') A P{ = IQlp;. Then ^ > 
lAlpi I iPslpi = y}\) I Pi') I lP2lpi ^ (^c)(0{x = y}P | P{ | lP2lpi) 

where c#lP2lpi. In pi-F, we have [^r^ j I^|pJ^ 1 I ^^2 ^ (z^c)(y)(Qi j P2). 
W.l.o.g. (see |WG05l p613]) we can assume that P2 is on the form (j) \ P" where <j) 
is a fusion and P" has no top-level fusions. Thus i'^p^j = and by idempotence of 

fusions, equally [^-r^ | | Pi | P2 ^ (z^c)(y)(Qi | P2). 

(3) Base case: ^ [> [Pip; ^ Q by the Com rule. Then |P|pi = [Pilp; | [Pjlp; and 

^^V^Li ^ f^i^Fi K ^^*IP,1^^ t> [P2lpi ^ {ue){{\{i = m I P^O, where 

c#P2, e#Pi, e C y, and (gj^fip^^j h a o 6, as well as 

^ t> iPilpi I iP2ipi ^ iuc){Pi I (z.g)((|{x = m I p^o) = (i^cemx = m \ pi \ p^o- 

Application of ^ yields I^^^Ip^Ij,.!"^ I ^1 ^ {i^c){S:)P{ \ [^-^^i^^j^ r\ and by 

we obtain r' I P2 ^ {i^e){y)P^' \ l^0^^p^jJ-\ 

Then 

^ (i/ce)(5=y I P{ I P^ i iM/^^'j^^j^pi I iM/^M/j^^j^j-i) 
^ (i.ce)(5=y I P{ I P^' I I^®^[P,£!^^|P,1^ r') 
and since \E'(8'^'|p^j (8)^'|p^j h a A 6 the label can be rewritten to ?a = a and then 

further rewritten to r. As above we can assume that P is on the form (j) \ P" where <j) 
is a fusion and P" has no top-level fusions. Thus 6pj = bp^ = e, and by idempotence of 
fusions, equally 1*1"^ | Pi | P2 ^ {uce){x=y \ P{ \ P^') \ {"^j'^. 

Induction: straight-forward matching of transitions rules. □ 

3.3.2. Concurrent constraints. Process calculi which integrate communication and mobility 
with concurrent constraint (CC) programming have appeared e.g. in [Smo941 INM951 [DRV981 
IBMOSj . Here, the ask and tell operations interact with a constraint store. The ask ip . P 
operation checks whether a constraint (p is satisfied by the current store and only then 
proceeds as P, corresponding to if f then r . P in psi-calculi. The tell ^ . P operation 
adds a constraint ^ to the current store before proceeding as P. Two variants of tell have 
been identified and used: one which can only proceed if the resulting store is consistent 
is known as atomic tell, and one which allows an inconsistent store and is called eventual 
tell |Sar93] . The eventual tell operation is used in earlier process calculi which integrate 
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constraints and communication, e.g. the vr^-calculus |DRV98j and the p-calculus [NM95] . 
The atomic tell operation is used in the CC-Pi calculus |BM08j . 

We here present a psi-calculus with concurrent constraints. Similarly to CC-Pi we 
extend a basic pi-F-like calculus with ask and tell operations and use a named c-semiring 
|BM08j as the constraint system parameter. Such a constraint system contains names, name 
fusion/equality constraints and a name hiding operator z/, and supports general constraint 
semirings, e.g. Herbrand constraints. 

Our psi-calculus, call it Ci, with associated named c-semiring C = (A, ©, (8>, 0, 1) and 
induced preorder ^ is: 

A^^'C = A 





dcf 


T 






dcf 


C 






dcf 








dcf 




dcf 


1 




h 


dcf 





The similarly notated operator 05 in C 
1 

Thus terms are names, while conditions and assertions are defined by the carrier A of the 
named c-semiring, which by definition includes names and name fusions, and implicitly 
name equality conditions. The properties of named c-semirings guarantee the requirements 
of psi-calculi, assuming that substitution on the named c-semiring satisfies our requisites. 
Abelian monoid properties follow directly, compositionality from ^'i ~ \I'2 =^ = ^2) 
and the channel equivalence properties from the fact that = is an equivalence. We extend 
the encoding of (monadic) pi-F processes and represent ask ip . P as ii ip then r . P. An 
eventual tell operation tellg ^ .P can be represented as r. (d^O | P). The atomic tell^ 
operation can be handled by adding a condition cons(^) to C with ^ h cons(^'') if ^'(8>^'' 
is consistent, and representing tell^ ^' . P as if cons(^) then r . (d^O | P). 

The most prominent difference from the CC-Pi calculus is that there, name fusions 
resulting from communication are required to be consistent with the store, otherwise the 
communication cannot happen. In contrast our semantics will allow communication tran- 
sitions that lead to an inconsistent store. This difference is illustrated below: 
In CC-Pi: 

P = '^\ab.Q\cd.R^'^®ib = d)\Q\R 
if ^ ^ a = c and ^®{b = d) consistent 

In Ci: 

P = (\^\) \ah.Q\c{x).{(\x = d\) \R) 

^ \ (\b = d\) \ Q \ R if h a = c 

While it appears not possible to integrate an atomic consistency check in a psi-calculus 
communication without changing our COM rule, explicit consistency checks (like cons(^')) 
can be used to handle interesting applications in practice. 

The semantics of CC-Pi is given by a structural congruence and a reduction relation. 
There is also a labelled operational semantics, but it is in fact not compositional. Consider 
the CC-Pi agents 

P = {vb, x){x = b \ ax .b . c) Q = {vb, x){x = b \ ax) 
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(where insignificant objects are omitted). They have the same constraint store and the 
same transitions in all constraint contexts. However, they do not have the same transitions 
in all process contexts: a parallel context R = a[y).y tells the difference: 

P I R {ub){x = h\ x = y\c) 

while Q \ R oi course has no such c transition. Thus Theorem 1 of |BM08j is incorrect: 
open bisimilarity is not a congruence (see also |BM09j ). 

The labelled semantics of CC-Pi has a curious asymmetry between the rule for prefixes 
and the rule for communication: in the first case, the constraint store cannot affect the label 
induced by the prefix, while in the communication case, the constraint store judges whether 
the subjects should be considered the same, enabling the communication. The psi-calculi 
have no such asymmetry: the assertions (corresponding to the store) allow the subject to 
be rewritten in the prefix rules and the subjects in Com are compared using the assertions 
(see Section [2.61 for a discussion). A possible fix for CC-Pi would involve allowing the store 
to rewrite terms, thus also subjects in prefixes |Bus09j . 

Psi-calculi go beyond most concurrent constraint systems in two ways. Firstly, we allow 
arbitrary logics, even higher-order ones. Secondly, we allow constraints and conditions to 
be data terms, which means an agent can transmit and receive these. For example, assume 
that c is a constraint and that f is a function from assertions to assertions. Then in 
the agent ac.P \ a{z) . {(\f{z)\) \ Q) P \ (|f(c)|) | Q the left hand agent sends the 
constraint c to the right, and f is applied to it. Similarly, if p is a unary predicate, in the 

agent ap.P \ a{z) .if z{x) then Q P \ if p(a;) then Q the left hand agent sends the 
predicate to the right, which applies it to x. 

4. Applications 

In this section we will look at a few applications of psi-calculi, some of which have been 
described before in other formalisms, and some which are novel. 

4.1. Structured terms as channels. Calculi with channels that can carry complex data 
are common, but in most cases the terms that represent channels are very simple, usually 
only a single name. We here give some examples where they have structure, and thus may 
contain more than one name. 

4.1.1. Frequency hopping spread spectrum. Wireless communication over a constant radio 
frequency has a number of drawbacks. In a hostile environment a radio can be tuned 
in to the correct frequency and monitor the communication which is also vulnerable to 
jamming. A solution to these problems is to jump quickly between different frequencies in 
a scheme called frequency hopping spread spectrum (FHSS), first patented in 1942 [MA42] . 
To eavesdrop it would then be necessary to match both the order of the frequencies and 
the pace of switching. Jamming is also made more difficult since the available power would 
have to be distributed over many frequencies. 

We will here show how this is modelled in a psi-calculus. It is assumed that the 
initiator of the communication and the receiver share an algorithm used to calculate the 
next frequency. The procedure starts by the initiator sending a communication request 
over some predetermined frequency. The receiver then sends a seed back to the initiator 
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and both use it to calculate the sequence of frequencies to be used. Then the initiator 
synchronises over the first calculated frequency to verify that it got the right sequence. The 
communication then proceeds and both parties change frequencies accordingly. 

We will now look at the psi-calculus used to model this frequency hopping algorithm. 
We let terms represent radio frequencies and use the unary function nextFreq(M) to rep- 
resent the algorithm for calculating the next frequency, given the previous frequency M. 
This psi-calculus has no assertions other than unit. 

T =^ A/'U {nextFreq(M) : M G T} 
C =^ {M o iV : M, N eT} 
A {1} 

„ def . T T -. 
(g) = A'I'1,^'2. 1 

1 h M o M 

We define T to be a o a in order to be able to use non-deterministic choice as noted in 
Section [231 

Let Xin^out be an arbitrary agent that communicates with the environment via the 
channels in and out. This agent will be wrapped in contexts that will let it do FHSS in 
a transparent way: from the agent's point of view it will only communicate over the local 
channels in and out. The agent FHSS that implements frequency hopping looks like: 

(out{y) .freq{y) . fh{nextfreq{freq))\ 
FHSS = \fh{freq). + _ _ 

\freq{y) . in{y) . //i(nextFreq(/reg)) 

This agent can be thought of as a function fh that will take a frequency and then either 
wait for something to be received from the local channel out to send over this frequency, or 
to receive something over this frequency and forward it to the local channel in. It will then 
calculate the next frequency and start over. 

The behaviour when the agent Xin^out acts as initiator is modelled as a context where 
the initiating sequence starts by sending a synchronisation message sync over a predeter- 
mined control channel ctl, and then waits for a seed from that channel. It then starts the 
frequency hopping algorithm with the seed and sends a synchronisation message over the 
first frequency, and behaves as Xin^out- It is assumed that seed^Xin^out- 

I[Xin,out] = ctl{sync) .ctl{seed) . fh{seed) . out{sync) .Xm^out \ FHSS 

The behaviour when the agent Xm^out acts as a receiver is modelled similarly: the 
receiver listens to the control channel ctl and sends back a seed. Then it starts the frequency 
hopping algorithm with this seed and waits for a synchronisation message. The receiver 
then behaves as Xin^out- It is assumed that x, seed, sjj^Xin^out- 

Fl[Xin^out\ = ctUys) . seed) ctl (seed) .fh{seed) .mix) .Xin^out \ FHSS 

The full system where Xm^out may behave as either a receiver or initiator is then 
modelled as 

FH[Xin,out\ = {I'fh, in, out) {I[Xin^out] + R[Xin,out]) 

where it is assumed that fh^Xin^out- 



PSI-CALCULI: A FRAMEWORK FOR MOBILE PROCESSES WITH NOMINAL DATA AND LOGIC 27 



Let us look at a few transitions of the receiver. First the receiver gets a request to do 
frequency hopping over the control channel: 

ctl sync 



FH[X. 



in, out] 



{ufh, in, out) {^{u seed) ctl {seed) . fh{seed) .mix) .Xin,out I FHSS) 
It then sends the seed to the initiator and starts the frequency hopping using this seed: 

y {I'fh, in, out) {fh{seed) . in{x) . Xin,out 

I FHSS) 

( in{x) . Xin^out 



[ufh, in, out) 



\ 



' out (y) . seed{y) . fh{r\extfreq{seed)) 



+ 



FHSS 



\ 



I 



, seed (y) . in{y) . fh{r\extfreq{seed)) 
At this point the initiator will send the sync message: 

seed sync^ 

{ufh, in, out) (_m(x) .Xm^out \ in{sync) . fh{nextfreq{seed)) \ FHSS) 
{ufh,in, out) [Xin^out \ //i(nextFreq(seerf)) | FHSS) 
After another r-transition the agent is ready to communicate over the next frequency: 

( in, out ^ 



{yfh, in, out) 



( out (y) . nextfreq (seed) (y) . //i(nextFreq(nextFreq(seed)))^ 



+ 



_ _ I FHSS 

\ \^nextFreq(seerf)(y) . m(y) . /7i(nextFreq(nextFreq(seed))) / J 

This example could easily be made more complex by adding relevant error checking 
(e.g. the receiver could check that the synchronisation message is correct), but even in this 
form it illustrates the use of structured channels. 



4.1.2. Local services. A common scenario is that different servers implement the same kind 
of functionality known under some globally known name. HTTP servers are examples of 
this where the service provided is normally available on IP port 80. Here the name of the 
service (port 80) is shared among the different servers. The general problem is that there 
is a service known under a global name, but available from servers with different names. 
This problem is treated in depth in |CS01| where the authors invent a new calculus for this 
purpose. Here we show how the same problem can be solved using an instance of psi-calculi. 

The instance used is basically the same as for polyadic pi-calculus as presented in 
Section [23] augmented with terms of form M@N and the entailment 1 h M@N o M@N, 
where M and N are terms. This gives the possibility to scope a part of a channel term, e.g 
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{i^b){a@bc.P), as in |CM03] . 

T = {M@N : M,N (£ T}U 

{t2(M,A^) : M,iV e T}UAA 

C =^ {M <^ N : M,N eT} 

A {1} 

„ dcf , -r T -• 

® = A^l,^'2. 1 

1\- a VoGTV 

1 h M@iV o M@A^ VM, iV G T 

The following example is adapted from |CS01j . Assume there are globally known names 
finger and daytime which refer to resources located at some server. Different servers have 
different local information, but this information is accessed through the same globally known 
names. This can be modelled as 



service@a{replyc) . 
Server = ! server (t'),( service, replyc)) . (ua) ( | Finger{a) 

I Daytime{a) 



Finger(a) = finger@a{replyc) . replyc (UserList) . 
Daytime{a) = daytime@a{replyc) . replyc{Date) . 

where UserList and Date are some terms containing the requested information. The exact 
nature of these terms is unimportant for this example. 

The server listens to incoming requests on channel server and receives two names. The 
first name is the requested service, and the second is the reply channel. It will then do an 
internal communication with the particular service daemon. There is no risk of interference 
since a locally scoped name is part of the service channel. The result of the request is then 
forwarded along the reply channel. 



(finger@a{c) . 
I Finger{a) 
I Daytime{a) 

— ^ Server \ {va) ( | 'c{UserList) .0 | Daytime{a) ) 
c{UserList)^ S'erver | [va) ( | | Daytime{a) ) 

Since any transitions from Daytime{a) are prevented by the restriction, the final derivative 

will behave like Server. 



4.2. Cryptography. In this section we give a sequence of examples from cryptography, 
culminating with a model of the Diffie-Hellman key agreement protocol. Our exposition is 
quite similar to the applied pi-calculus as presented in [AFOlj , and we will use a psi-calculus 
that mimics this closely. The main point is that psi-calculi can express these cryptographic 
examples in an equally concise way, and within a leaner and more symmetric formalism. 

The psi-calculus instance we use for the examples below can be seen as a simplification 
of APi in Section [3.21 in that we do not distinguish between different kinds of names, and 
we do not use inequality. To construct this psi-calculus we assume an inductively defined 
set of terms using a signature S, and an equational theory hs which let us infer equations 
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M = N where M and N are terms. Exactly how this theory works is unimportant for this 
presentation. Substitution is defined in the expected way. 

T =^ M\J {f(Mi, . . . , M„) : f e S A A/j e T} 

C =^ {M = N : M,N £ T} 

A = Vfin{{M = N : M,N eT})} 



dcf 
def 
def 



u 

rlof 

1 

^' h M = iV if hsu* M = N 

An assertion is a finite set of equations between terms. We often ehde the set brackets in 
agents, e.g. writing (\M = N\) instead of (|{M = N}\). The conditions are just equations 
M = N. Entailment is defined such that ^ \- M = N holds if M = A can be inferred 
from the equational theory hs extended by the equations in ^. This instance satisfies the 
requirements by the same reasoning as for APi. 

We start by looking at how one-way hashing is modelled. In addition to symbols 
for tupling and projection, and their associated equations, the signature contains the unary 
symbol hash(j;) which has no equations. The only equation on hash that is true is hash(M) = 
hash(M), and this means that the hash function is collision free. The following example 
shows one agent sending a message M together with a hashing x of the message and a secret 
name s to another agent. The second agent will only forward M if it is properly hashed. 

M(^hash(t2(s,M)) =x|) \a{t2{M,x)) | a(y) . if hash(t2(s, 7ri(y))) = 7r2(y) then 6(7ri(y))) 

To model symmetric cryptography, the signature is extended as in Section 13.21 we add 
the binary symbols enc(rE, y) and dec(x, y) together with the equation dec(enc(2;, y),y) = x. 
The following agent sends a message M encrypted with the secret key k, without revealing 
the plaintext or key. 

{uk,x){(\enc{M,k) =x\) \ax) . . . 

Asymmetric encryption is modelled by adding two new unary symbols pk(s) and sk(s) 
which generate the public and secret keys from a common seed value, and the equation 
dec(enc(a;, pk(A;)), sk(A;)) = x. The following agent sends the public key on channel a, receives 
a message along channel b, decrypts it with the secret key, and sends the decrypted message 
along channel c: 

{us,x){(\pk{s) = x\)\ax\ b{y).{(\dec{y,sk{s)) = z\)) \ cz) 

Non-deterministic crypto is modelled by using a ternary version of the symbol enc(a;,y,2;) 
with some salt in the last argument, together with the equation dec(enc(x, pk(fc), z), sk(/c)) = 
x. Consider the following agent: 

a(j;).((z/m, y)((]enc(M, x, m) = y\) \ by) \ {un, z){(\enc{M,x,n) = z\)) \ cz) 

An observer of this agent cannot tell whether y and z are encryptions of the same message 
or not, because of the unique salt. 

Digital signatures are modelled by adding the binary symbol sign(x, y), the ternary sym- 
bol check(x, y, z), the constant symbol ok, and the equation check(3;, sign(x, sk(/c)), pk(/c)) = 
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ok. The following agent sends a signed message along a, then the parallel component receives 
it and checks the signature. If it is ok it is then forwarded. 

{iys,z){(\pk{s) = y\) I ^sign(M,sk(s)) = z\) \ at2{M,z)) 

I a{x).\t check(7ri(x), 7r2(x), y) = ok then h-Ki{x) 

The Diffie-Hellman protocol |DH76j is used to establish a shared secret between two 
principals who do not necessarily share any secrets beforehand. This is done by exchanging 
messages over a public channel. 

We let S include f(x,y) and g{x), and the equation system includes f(x,g(y)) = 
f(?/, g(j;)), but no other equations on f and g. The first principal P creates a secret np 
and sends an alias xp ol g{np) to the other principal Q, and Q does likewise. Then P can 
create the term f{np,XQ) and Q can create the term f{nQ,xp). Using the equations above 
these two terms are equivalent and the shared secret has been established. Concretely f 
and g are functions in a multiplicative group modulo a large prime, but here we ignore the 
number theory. 

Let Pkp and Qkg be two agents that will share a secret key and will use the names 
kp and /cg, respectively, to refer to it. The Diffie-Hellman key agreement is modelled as 
two symmetric contexts DHoi[-] and DHio[-] in which the agents are placed. The context 
DHqi [Xf^] is defined as 

DHoi[Xk] = (z^n,x,aoi,aio)((|g(n) = x|) | oqix \ 010(2;). (z^/c) ((|f (n, z) = k\) \ Xk)) 

where n, x, oqi, oio#^fc a-nd k occurs in X/^ as a a name that refers to a key. The context 
DHio[Xk] is defined in the same way but with aio and aoi swapped. 

The agents Pkp and QkQ agree on the secret by placing them in the contexts: DHqi [Pkp] 
and DHiolQkg]- The key agreement will then do two internal transitions: 

DHoi[Pkp] I DH.olQkQ] ^ ^ {vxp,xq){P' \ Q') 

where 

P' = (i/np,aoi,aio)((|g(np) = xp[) | (i/A:p)((|f(np, xq) = kp\) \ Pkp)) 
Q' = {vnQ,am,aiQ){(\g{nQ) = XQ\j | {vkQ){(\{{nQ , x p) = A;q[) | Quq)) 

The X and n from the context have been alpha-converted to the variants with subscripts to 
avoid clashes. 

Since the agents are communicating over a public channel the messages may be inter- 
cepted by a passive attacker which then forwards them unmodified. In presence of such an 
attacker the agents evolve to P' \ Q' where the lack of binders for x p and xq represent that 
the hostile environment now has access to these values. We show that this does not break 
the protocol. 

As a specification for this protocol we put Pkp \ QkQ in a context where they already 
share a secret, here represented by the name k': S = {ukp, kQ, k'){(\k' = kp\) \ (\k' = 
kgl) I Pkp I Qkq)- We then show that P' \ Q' and S behave the same, denoted -P' | Q' ~ S. 
The precise meaning of ~ is given in Section [U but for this particular example it is sufficient 
to think of ~ as equivalence of the frames of S and P' \ Q' according to Definition 12.51 This 
equivalence is closed under parallel composition (if P and Q behave the same, then so will 
P I R and Q \ R for any agent R) and restriction (if P and Q behave the same, then so will 
{va)P and {ua)Q, for any a). 
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We have that 

{unp,ap){(\g{np) = xp\) \ (|f(np,XQ) = kp\)) 
I (.'^'nQ,aQ){(\g{nQ) = xq\) I (\f{nQ,xp) = /cq|)) 

{i.k'mk' = kp\)\{\k' = kQ\)) 

The reason is that the only condition entailed on both sides is kp = kq, no equalities can 
be entailed on and xq. Since ~ is closed under parallel composition we can add the 
agents: 

{vnp,ap){(\g{np) = xp\) \ (|f (np,XQ) = kp\)) 
I {vnQ,aQ){(\g{nQ) = XQ\j \ (\{{nQ,xp) = /cq[)) 
I Pkp I QkQ 

il,k'){(\k' = kp\)\(\k' = kQ\)) 

I Pkp I QkQ 

Since ~ is closed under the restriction operator: 
{ukp,kQ) 

( (z/np,ap)((|g(np) = xp\) \ (]f(np,XQ) = kp\)) 
I {unQ,aQ){{\g{nQ) = xq\) \ (\f{nQ,xp) = /cqD) 

I Pkp I QkQ) 

{vkp.ko) 

( {Vk'){(\k' = kp\, I (\k' = kQ\)) 
I Pkp I QkQ) 

Finally, by the structural laws of Theorem 15.81 in Section 

P' \Q' ^ S. 



5. BiSIMILARITY 

In this section we define a notion of strong bisimilarity on agents and prove that it 
satisfies the expected algebraic laws and substitutive properties. The results hold for any 
psi-calculus and give us confidence in the semantic definitions. 

5.1. Definition. In the standard pi-calculus the notion of strong bisimulation is used to 
formalise the intuition that two agents "behave in the same way" ; it is defined as a symmetric 
binary relation IZ satisfying the simulation property: TZ{P, Q) implies that for a such that 
bn(a)#Q, 

ifP ^ P'thenQ ^ Q'aTZ{P',Q') 
For a psi-calculus we additionally need to take the assertions into consideration. The be- 
haviour of an agent is always taken with respect to an environmental assertion. We define 
bisimulation as a ternary relation TZ{^, P,Q), saying that P and Q behave in the same 
way when the environment asserts \I'. Because of this two additional issues arise. The 
first is that the agents can affect their environment through their frames (and not only by 
performing actions), and this must be represented in the definition of bisimulation. The 
second is that the environment (represented by ^ in 7^(^, P, Q)) can change, and for P and 
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Q to be bisimilar they must continue to be related after such changes. This leads to the 
following definition of strong bisimulation. 

Definition 5.1 (Bisimulation). A bisimulation 7^ is a ternary relation between assertions 
and pairs of agents such that 7^(^', P, Q) implies all of 

(1) Static equivalence: '^®T{P) ~ '^^F{Q) 

(2) Symmetry: 7^(^,Q,P) 

(3) Extension of arbitrary assertion: V^'. TZ{^®^' ,P,Q) 

(4) Simulation: for all a,P' such that bn(a)#^,(5 there exists a Q' such that 

if ^ > P ^ P' then > Q ^ Q' ^ 7^(^, P', Q') 

We define P -^iji Q to mean that there exists a bisimulation TZ such that TZ{^,P,Q), and 
write ~ for 

Clauses 2 and 4 are familiar from the pi-calculus. Clause 1 captures the fact that the 
related agents have exactly the same influence on the environment through their frames, 
namely that when they add to the existing environment {^) then exactly the same conditions 
are entailed. Clause 3 means that when the environment changes (by adding a new assertion 

the agents are still related. An example may clarify the role of this clause. Let /3 be a 
prefix and let (p be any non-trivial condition, and consider 

P = /3./3.0 + /3.0 + /3.i{ if then /3.0 
Q = /3./3.0 + /3.0 

P can non-deterministically choose between three branches and Q between the two first of 
them. Here P and Q are not bisimilar. If P performs an action corresponding to its third 
case, reaching the agent P' = if ip then /3.0, there is no way that Q can simulate since 
neither Q' = nor Q' = /3.0 is equivalent to P' in all environments. In fact, any reasonable 
variant of bisimulation that equates P and Q will not be preserved by parallel. To see 
this, let T be 7.(|^'[), where 7 is any prefix and ^ an assertion that entails if. Then the 

transition P | T P' \ T cannot be simulated by Q\T, since P'\T can only do an action 
7 followed by an action /3, whereas f3.0\T can do /3 immediately, and 0|r can do no (3 at 
all. This demonstrates why clause 3, extension of arbitrary assertion, is necessary: it says 
that after each step all possible extensions of the assertion must be considered. If we would 
merely require this at top level, i.e. remove clause 3 and instead require y^.TZ{^,P,Q) in 
the definition of P ~ Q, the extensions would not recur; as a consequence P and Q in the 
example would be equivalent, and the equivalence would not be preserved by parallel. 
For another example, consider 

R = i{ (p then /3 . if 99 then ^.0 S = if ip then (3.^.0 

In R the condition is checked twice. In general R and S are not equivalent. To see this, let 

and be such that * h 99 and ^'(g)^' 1/ if. We then have that \> R if ip then /3.0 

and it cannot be simulated by ^ > 5 /3.0 because of the recurring clause of extension 
of arbitrary assertion: if if then /3.0 has no transition in the environment However, 
if the entailment relation satisfies weakening, i.e. ^ \- ip ^ ^'(8)^'' h if, we get the intuitive 
result that R and S are bisimilar. This also demonstrates the inadequacy of the smaller 
and simpler definition of ~ as the largest relation satisfying 

if V^'.^' [> P A P' then ^' [> Q A Q' A P' ~ Q' 
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The difference is that here bisimulation recurringly requires to hold for all assertions, not 
only for those that are extensions of the ones passed so far. This would have the unintuitive 
effect of making R and S in the example above non-bisimilar, even if weakening holds. 

If there are inconsistent assertions, i.e. assertions that entail all conditions, the effect of 
Clause 3 is very strong: Bisimilar agents are required to behave the same even if the envi- 
ronment is inconsistent. For example, in this situation the agent {ua)a . is not equivalent 
to 0, since an inconsistent assertion can make all names channel equivalent, and therefore 
[va)a.O has actions with all names except a as subject. The algebraic properties to follow 
hold for all psi-calculi, including those with inconsistent assertions. It remains to be seen if 
and how bisimulation in such psi-calculi is useful to model applications. 

Interestingly, there is an alternative way to define bisimulation as a binary relation 
preserved by parallel contexts. 

Definition 5.2 (Context bisimulation). A context bisimulation 7^ is a binary relation on 
agents such that 7^(-P, Q) implies all of 

(1) Static equivalence: F(P) J^{Q) 

(2) Symmetry: n{Q,P) 

(3) Extension of contextual assertion: 'i'^ . lZ{(\^\j \ P, (\^\) \ Q) 

(4) Simulation: for all a, P' such that hTi{a)^Q there exists a Q' such that 

if 1 > P ^ P' then 1 t> Q ^ Q' ^ 7^(P^Q') 
We define P -^"^ Q to mean that there exists a context bisimulation TZ such that 7^(P, Q). 

Such a definition is more in line with standard contextual bisimulations, and also the 
way bisimulation is defined in the applied pi-calculus. The drawback is that it relies on an 
operator in the calculus (parallel) for its definition. For conducting proofs our experience 
is that Definition 15.11 is preferable. We have shown that these bisimilarities coincide, i.e., 
the definitions result in the same bisimulation equivalence: 

Theorem 5.3 (Bisimilarity and context bisimilarity coincide). = Aj^ 

We now show that the usual strong early bisimilarity for the pi-calculus, denoted ~7r, 
and bisimilarity in the instance Pi coincide. 

Theorem 5.4 (pi-calculus bisimilarity and Pi bisimilarity coincide). 

P^.Q^ [Pip. ^ iQlp. 

Proof. (^): Static equivalence and extension of arbitrary assertions hold trivially since the 
only assertion is 1. Symmetry follows directly, and simulation follows from Lemma 13.31 
(<^=): Symmetry follows directly, and simulation follows from Lemma 13.31 □ 

In addition, we conjecture that Inside-outside bisimilarity for the pi-F calculus [WisOlt 
Definition 17] coincides with bisimilarity for the psi-calculus Fi (see Section [3.3.ip . 

5.2. Algebraic properties. Our results are that bisimilarity is preserved by the operators 
in the expected way, and also satisfies the expected structural algebraic laws. 

Theorem 5.5. For all 

(1) P '^n, Q ^ P \ R'^<i, Q \ R. 

(2) P Q ^ {ua)P ~^ (Va)Q if a#^. 
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(3) P~g. Q^!P^^!Q. 

(4) Mi.Pi Qi =^ case tp : P ~^ case ip : Q. 

(5) P ~^ Q ^JlN.P MN.Q. 

(6) (VL. P[5 := L] g[S := L]) ^ 
M{Xa)N.P M(Aa)7V.Q 

Definition 5.6. P -^ii- Q means that for all sequences a of substitutions it holds that 
Per Qa, and we write P ~ Q for P ~i Q. 

Our requirements on the substitution function are very weak. For example, we do not 
require that P[e := e] (the substitution of length 0) is P, nor that sequences of substitutions 
[x := M][y := N] can be combined into one. For this reason, '^ij, is defined by closure under 
sequences of substitutions rather than single substitutions [x := M]. 

Theorem 5.7. ~^ is a congruence for all ^. 

Theorem 5.8. r-^ satisfies the following structural laws: 

P ~ P j 

P I (Q I P) ~ (P I Q) I P 

P\Q ~ Q\P 

(i/a)0 ~ 

_P I (i/a)Q ~ {ua){P I Q) 

MN.{va)P - {ua)MN.P 

M{Xx)N.{ua)P ~ {ua)M{Xx){N).P 

case ip : {ua)P {ua)case p : P 
{va){ub)P ~ {ub){ua)P 
IP ~ P I !P 

The most awkward part of the proofs is for Theorem l5.5t fTI) , and historically this is 
the proof that most often fails in calculi of this complexity; the intricate correspondences 
between parallel processes and their assertions are hard to get completely right. We give 
an outline of the proof and cover in detail the simulation case where the parallel processes 
communicate with each other. In the following we tacitly assume J'{P) = {vhp)'^p, where 
bp^P, for any agent P, unless otherwise noted. 

We pick the candidate relation TZ = {(^', {v'a){P \ R), {ua){Q \ R)) : P '^if^^ii^j Q} where 
a#^, and prove that 7^ is a bisimulation. Moreover we assume that bp#bQ,Q,bR, R,"^, 
and bpi^P, Q, 'J/, or, in other words, that bound names are distinct from all free names and 
other bound names. Formally the proof is conducted by an induction on the length of a. 
The induction step is straightforward, so we focus on the base case. The agent P | R can 
operate either by P or P doing individual actions, or by P and R communicating, where 
we cover the latter case, as it is the most involved. 

In this case we have, by the COM rule, that P does an input transition (^'(g'^/j > P 

P'), R does an output transition (\I'(X)^p l> R ^ ji'^ ^j^d that the subjects of the 

transitions are channel equivalent {^(^^p^'^r h M A K). The resulting communication 

between P and R is thus > P \ R {i'a){P' \ R'). 

To complete this step of the proof we need to find a Q' such that ^ [> Q \ R 
{va){Q' I P'), and , {ya){P' \ R'), {va){Q' \ R')) G 7^. 



i/G#P 

ifa#M,N 
if a#x, M, N 

ifaifp 
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The presence of assertions in the transitions comphcates the proof. We know that 

P ~* Q, and hence by Definition OIS]) that P Q. Since ^(^"^r > P P' , we 

can obtain a Q' such that > Q Q' and P' '^^^J^^^/^ Q' . However, this transition 

cannot communicate with ^'(8)^p l> R '^^'^"■'^> R'^ since that transition is derived by the 
assertion ^'(8)\I'p, and not ^^"^q. Moreover, M and K are channel equivalent by the 
assertion ^^^p^^r, and not ^^^q^^Rj which would be needed to derive the desired 
communication. In order to complete the proof, we need a lemma which switches the 
occurrences of to in the transition of R, as well as in the channel equality. 

Once a communication has been derived, we must prove that the corresponding deriva- 
tives {ua){P' I i?'), and {ua){Q' \ R') are in the candidate relation TZ. From the definition 
of IZ we get that this holds if P' Q', but we only know that P' Q' . In order 

to complete the proof, P' and Q' must be bisimilar in the assertion ^(^^'/j/, and not only 
in 

We provide lemmas which will address both of these obstacles in turn, after which 
this proof will be concluded. Lemma 15.111 simultaneously changes the assertion deriving 
the transition for R, and the channel equality, and Lemmas 15.121 and 15.131 ensure that 
the derivatives of the communicating agents are in the candidate relation TZ. Lemmas 
15.91 and 15.101 are two generally applicable lemmas used to prove Lemma 15.111 We define 
subj(M (z^a)A^) = M and similarly for input actions. 

The first lemma shows that given a finite set of names B that are fresh for P we can 
find a term M channel equivalent to the subject of an action from P whose names are fresh 
for B. 

Lemma 5.9 (Find equivalent term). 

B Cj\f AB finite A B#P 

A \> P P' where a t 
A bp#^,P,suhi{a),B 
=^ 3M . B#M 

A ^(g)*p h M A subj(a) 

Proof. A straightforward induction on the length of the derivation of the transition. In the 
base case we choose M as the prefix in the agent. □ 

The next lemma shows that given a transition we can find another transition whose 
subject is channel equivalent to the subject of the original transition and that leads to the 
same derivative as the original transition. 

Lemma 5.10 (Rewrite subject). 



A 
A 



The symmetric lemma where P does an input is omitted. 

Proof. A straightforward induction on the length of the derivation of the transition. □ 



^ > P (^")^) P' 
^'(g)^P \- K <^ M 
bp#^,P,K,M 
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We can now prove the lemma which allows us to simultaneously switch the assertions 
deriving a transition, as well as channel equality in a communication. This lemma looks a 
bit intimidating and the proof details can safely be skipped at a first reading. It says that if 
P and Q are bisimilar and P can communicate with R via the channel then there exists 
a channel K' such that Q can communicate with R via K' . 

Lemma 5.11 (Switching). 





P Q 


A 


^-0% > P P' 


A 


^(^^,p o R R> 


A 


^'(8)^'p<8)% \- K M 


A 


bR#bp,bQ,^,P,Q,R,K 


A 


bQ#^,R,P,Q,M 


A 


bp#R,M,^ 




BK'.^^^Q > R 


A 


*(8)^'q(8)^'r \- K' <^ M 


A 


bR#K' 



There is also a symmetric lemma where R does an input. 

Proof. By induction on the length of the derivation of the transition from R. We only look 

at one base case and one induction step here. The other cases are similar. 

Out: In this case R = KgN.R' for some term Kg, and the transition is derived like this: 

^(gj^fp h Kg ■(^ K 
Out ^ = 

^(^^P > KsN.R' ^ R' 

Since bp#^, R we get that ^'OJ'(P) \- Kg Kg. This in turn gives us that *(8)7'((5) 1" 
Kg o Kg, which means that \I'(8)^q h Kg o Kg. We then establish the first conjunct 
by: 

^-^^-Q ^ Kg^Kg 
Out — = 

^(gj^-Q > KgN.R' R' 

For the second conjunct, we have that ^i®'^p h Kg A K and that ^®^!p®l h K A M 
(since in this case is 1). Identity and transitivity then give us that ^^'^p h Kg -H- M. 
Since bpi^R,M we have that ^<^T{P) h Kg -H- M and since P and Q are bisimilar we 
also have that ^'®7'(Q) \- Kg ^ M. We finally get ^'(g^'Q \- Kg <^ M. The third 
conjunct is trivial since bp is empty. 
Scope: In this case R = {ub)R' for some name b and the transition is derived like this: 

Scope ^— 6#X {va)N, ^ 

^0^P > {vb)R! J£S^ (ub)R" 

Let b^^bp, bq, P, Q. Note that by definition we have ^(^i,b)R' = ^R'- We also have that 
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b(ub)R'#bp, bq, ^, P,Q, {ub)R', K 6/j/#6p, bq, P, Q, R' , K and that b^^b)R'#bp, bqA 

bp,bq^{i'b)R' A b^bp,bq bp,bq#R' . From the induction hypothesis we then get 

that ^®^Q > R' ^'^"^^^^ R'\ ^0xiiQ(^^j^, h M o K', and that bp'^K'. 

Prom the fact that P and Q are bisimilar we get that ^'®^'(-^,^)^/ > Q Q'. 

Let B = {b} U bpi. By Lemma 15.91 we learn that there exists a term K" such that 
I" K" o Af, fulfilhng the second obhgation, and that Bjj^K" . This gives 

us that bR>,bi^K". By transitivity we then get that ^(^'i/^^h^p,(E'^q h A K" . We 

now use Lemma ElO] to get that [> fi' ^" ^''°^^) i?". Finally we do the following 

derivation: 

M/^vI/Q t> R' J^J^ R" _ 

Scope wt^tt^ {va)N, * 

^^^Q > J^±^ {ub)R" 

That b(^^b)R>#K" follows from □ 

The following lemma proves that when an agent performs a transition, its frame is extended 
with a new assertion below): 

Lemma 5.12. If ^ \> R —^y n' and bp^R, N,C where C is a set of names, then 
3^-', such that T{R') = {iA)p,)^!p, A ~ A bR>#C,R'. 

Proof. A straightforward induction on the length of the derivation of the transition. □ 

Finally, we need a lemma which allows us to switch the environment for a bisimulation 
for an equivalent one. 

Lemma 5.13. If ^ [> P ^ Q and VJ/ ~ VI/' then ^' t> P Q 

Proof. The candidate relation for the bisimulation is 7^ = {(^', -P, (5):^'I>P~QA^'~ 

The four cases are proved separately. 
Case 1: Follows from the fact that ® is compositional, where the bound names of the 

frames of P and Q are alpha-converted not to clash with ^' . 
Case 2: 5 is trivially symmetric, since ~ and ~ are symmetric. 
Case 3: Follows from the fact that ® is compositional. 

Case 4: From the definition of ^ and the transition ^ [> P P', we obtain a Q' . s.t. 

^ > Q Q' 'iiid ^ [> P' ^ Q' . By induction on the derivation of this transition, and 

the fact that ^ ~ vj/', we get that ^' \> Q Q' . Moreover, since [> P' ~ Q' and 
~ 'f' we have that (^', P' , Q') G 5. □ 

With these lemmas in place we complete the proof of Theorem l5.5l fT]) commenced at the 
beginning of this section. The case we are proving is when P \ R performs a communication. 
We must find a corresponding transition from Q \ R such that the derivatives remain in the 
candidate relation TZ. The agents P and R can communicate using the following derivation. 

M,^^^ ^ P p' 

'^P®'^ > R R' -^(^-^p^-^R h M K _ 
Com a#i? 

^! t> P\R {ya){P' j R!) 
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Our goal is to replace P with Q in the premises so that we can derive the simulating 
transition. Let J-{Q) = {i'bQ)^Q be such that bQ^P,bfi,R,'^,M. 

We use Lemma ISTTT] to obtain ^Q(^'i> > R — ^> R' and ^iS>^q(^^r h A/ o K'. 

Since P and Q are bisimilar we have that ^-O^ > Q ^^^''°^^> Q' . We then derive the 
following: 

^^^^ > Q Q> 

O R R' ^-^^Q^^-ij h M O ^ 
Com a#i? 

^ [> Q I ^ I R') 

We know that P' ~^((g)^i^ Q' and by clause E] in the definition of bisimulation (extension of 
arbitrary assertion) that P' ~*®<i-^(g)ii>' Q' for any By Lemma 15.121 we know that there 
exists a ^" such that ^/j(8)^" — ^'r' , so in particular, using Lemma 15.131 we have that 
P' Q' We then conclude that (^', | R'), (z^S)(Q' | i?')) ^ 7^. □ 

The proofs of theorems I5.3I5.5H5.8I follow a similar pattern, using induction over the 
lengths of the derivations of the transitions. The part we have just shown is the most 
challenging. Further proofs are found in [JohlOj . 

6. FORMALISATION IN ISABELLE 

As the complexities of calculi increase, the proofs become more complicated and there- 
fore more error prone. In Section [3] we discussed how both the applied pi-calculus and the 
concurrent constraint pi-calculus have turned out to be non-compositional. This hints at the 
complexity of the proofs and the difficulty of getting them right. Our proofs for psi-calculi 
are also sometimes long and intricate. For example, the proof sketch of Theorem I5.5I |T|). 
described in the previous section, is substantially more complicated than its corresponding 
proof for the pi-calculus. However, we emphasise that the proof is not substantially different 
in structure: it is just a set of properties of transitions, all established by induction over the 
the definition of the semantics. In this, psi-calculi are simpler than many other calculi that 
rely on stratified definitions of the semantics with devices such as a structural congruence. 

In order to ensure that proofs are correct, automated and interactive proof assistants 
or theorem provers can be used to formally verify the proofs with the aid of a computer. 
We have completely formalised all results in Section [U with the exception of Theorem 15. 4^ 
in the interactive theorem prover Isabelle. To the best of our knowledge, no calculus of 
this complexity has previously been formalised in a theorem prover. We have earlier |BP07j 
formalised a substantial part of the pi-calculus meta-theory in Isabelle. This section will 
cover the main extensions needed to formalise the framework for psi-calculi. More in-depth 
expositions are found in |BP091 IBenlOj . 

6.1. Alpha-equivalence. The main difficulty with formalising any process algebra in a 
theorem prover is to reason about alpha-equivalence in a convenient way. When conducting 
manual proofs on paper this notion is often glossed over, and statements such as "we assume 
any bound name under consideration to be sufficiently fresh" are commonplace. For machine 
checked proofs this poses a problem. Exactly what does it mean for a bound name to be 
sufficiently fresh? 
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We use Nominal Isabella |Urb08] to formalise datatypes with binders, and to reason 
about them up to alpha-equivalence; in other words, all our proofs deal with alpha equiva- 
lence classes rather than with particular representatives. As usual alpha variants of agents 
are identified , so e.g. {va)P = {vh){{a b) ■ P), when b^^P, and similarly for names bound in 
the input construct. Formally, name swapping on agents distributes over all constructors, 
and substitution on agents avoids captures by binders through alpha-conversion as usual. In 
that way Nominal Isabelle provides an alpha-equivalence class of agents where the support 
of P is the union of the supports of the components of P, removing the bound names. This 
corresponds to the names with a free occurrence in P. 

Frames contain binders and we reason about their alpha equivalence classes in the same 

way. Also, transitions contain binders. Consider the output transition ^ > P p> 
To be completely formal, as described in [BP07j . a is a binding occurrence with a scope 
that contains both and P' . We accomplish this by creating a datatype containing both 
an action and the derivative process as follows. 

Definition 6.1 (Residuals). A residua/ with the action a and the derivative P', is written 
a -< P'. 

Thus we have the following three forms of residuals: 

M{ua)N ^ P' Output 
MN<P' Input 
T ^P' Silent 

In the Output residual, a binds into both A^ and P' . In this way we get a nominal datatype 
of residuals where name swapping just distributes to its components and the support is 
the free names. A transition is then simply a pair consisting of an agent and a residual. 
Again, Nominal Isabelle allows us to reason about alpha equivalence classes of transitions. 
Typically a property of transitions is established by induction, with one case for each rule. 
This means that we assume the property of the premise of the rule, and must establish it for 
the conclusion. Since we work with alpha equivalence classes it is enough to establish the 
property for one representative of the alpha equivalence class. This formalises the principle 
that we may always pick bound names fresh. 

Datatypes for agents, frames and transitions in Nominal Isabelle require sequences 
of binders, e.g. in the input prefix and in the output action. It is important to reason 
about arbitrarily long binding sequences as atomic objects, otherwise there would be a 
constant need for inductive proofs over the length of these sequences. Nominal Isabelle 
only supports single binders, and we have therefore created infrastructure to reason about 
arbitrarily long binding sequences. When alpha-converting a binding sequence, we generate 
a name permutation p which when applied to the sequence makes it sufficiently fresh. The 
same permutation is then applied to everything under the scope of the binders, for example: 

M{\x)N.P = M{\p ■x){p-N).{p-P) if p C i X (p • x) and {p ■ x) # (N, P) 

The side condition of this alpha-conversion looks a bit intimidating, but intuitively p swaps 
members of the original binding sequence to other names such that the resulting bind- 
ing sequence meets the desired freshness constraints. This style of alpha-conversion was 
first introduced by Urban and Berghofer, although to the best of our knowledge it is still 
unpublished. We cover it more extensively in jBP09j . 
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6.2. Formalising parametric calculi. The framework for psi-calculi is a parametric for- 
malism. A psi-calculus agent consists of terms, assertions and conditions. This is modelled 
in Isabelle by creating a polymorphic datatype with three type variables. A psi-calculus 
agent will thus have the type (a, /3, 7) psi, where a, /3, and 7 represents terms, assertions, 
and conditions respectively. All members of these types need to have finite support. 

Isabelle has excellent facilities for a parametric style of reasoning through the use of 
locales |Bal03j . Locales allow us to specify which functions must exist for the parameters, 
and which assumptions must hold on them. The entire proof structure of the meta theory 
is then built using the provided locale parameters. When creating a psi-calculus instance, 
the functions must be provided and the assumptions must be proved. Once this is done, all 
meta-theoretical proofs will be guaranteed to hold for the new instance. 

One requirement from Section 12.11 is that there is a substitution function which substi- 
tutes terms for names in assertions, conditions and terms. To this end, a locale is created 
with a substitution function of type 6 name list — )■ a list — >■ 5, where the type a will 
be what we use for terms, and the type 6 can be any of the three nominal sets. The locale 
contains the following assumptions, which implement the requirements of a substitution 
function mentioned in Section 12.11 

Equivariance: p ■ {X[x := T]) = (p ■ X) [{p ■ x) := {p ■ T)] 

Freshness: if x C n{X) and a^X[x := T] then a^T 

Alpha-equivalence: if p C x x (p • i) and {p ■ x)^X then 

X[x :=T] = {p-X)[{p-i) :=r] 

The assumptions on this locale are straightforward. As all functions in any nominal for- 
malisation, substitution must be equivariant. Freshness is a reformulation of requirement 1 
in Section 12.11 Similarly, Alpha-equivalence is requirement 2. Intuitively this means that 
the vector being substituted is switched to one which is sufficiently fresh. As an example 
of its use, consider the Input rule. 

M ^ K 

In — 

^ > M{Xy)N.P ^^\-y-^\ p[y ■= L] 

If a proof requires the input agent to be alpha-converted to M_{\p ■y){p- N).{p ■ P) such 
that p ■ y \s sufficiently fresh, it is necessary to convert A^[y := L] to [p ■ N)[{p • y) := L], 
and P[y := L] to {p ■ P)[{p ■ y) '■= L] to still be able to derive the input transition. The 
last constraint accomplishes this. This locale is then instantiated three times: for terms, 
assertions and conditions respectively. 

The nominal morphisms in Definition 12.11 are modelled in a locale which specifies their 
existence and equivariance properties. Inside this locale we also define equivalence for 
assertions and frames and provide an infrastructure for reasoning about equivalence. This 
locale is then extended with the requisites in Definition 12.31 

Finally, the substitution locale is combined with the locale for equivalence to form 
an environment in which the rest of the theories can be proved. The locales offer a very 
intuitive way of reasoning about parametric systems, and without them this formalisation 
would have been very hard. 
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6.3. Encoding partial operators. In Definition 12.61 there is a well-formedness condition 
that all agents occurring under a Case or Replication operator must be guarded. Formally, 
this means that these operators are not total. For example, (\^\) is an agent but Id'I'D is 
not. 

To represent this in Isabelle, we take the technically easiest approach to augment the 
Case and the REP-rules of the operational semantic with a premise that the agents they 
operate on are guarded. In effect this allows non well-formed agents, but they have no 
transitions and are all bisimilar to 0. All Isabelle proofs hold for all agents, so in particular 
they hold for all well-formed agents. Therefore the Isabelle formalisation establishes the 
theorems presented in this paper. A few lemmas, for example that bisimilarity is preserved 
by Replication, need an extra premise that the agents are guarded, but in the vast majority 
of lemmas the necessary properties follow from the operational semantics. 

An alternative would be to constrain the datatype representing agents to well formed 
agents and thus ensure that all inhabitants of that type meet the required constraints. This 
more closely resembles Definition 12.61 and would be the method of choice for use with a 
theorem prover such as Coq that supports dependent typing. There the well-formedness 
conditions can be integrated into the psi-datatypes, i.e. for all proofs we can assume that we 
are only dealing with well-formed agents. The downside of this approach is that whenever 
an agent is constructed, a proof that it is well-formed must also be supplied. 

A third option to encode partial operators would be to decorate all lemmas which use 
the well formedness property with an assumption that the agents are well formed. We 
avoided this since it would clutter up a significant amount of lemmas with extra premises. 

6.4. Results and experiences. Using Isabelle to formalise the proofs for psi-calculi in 
parallel to its development has turned out to be invaluable, and we would certainly not 
have finished successfully without it. Throughout the development we have uncountable 
times stumbled over slightly incorrect definitions and not quite correct lemmas, prompting 
frequent changes in the framework. For example, our mistake in |JPVB08] mentioned in 
Section [2. 61 was found during proof mechanisation and would probably not have been found 
at all without it; at that time we had completed a manual "proof that turned out incorrect. 
The Isabelle formalisation gives us a high degree of confidence in the proved theorems, and 
equally important, it gives us a repository of proofs and proof strategies that can be re-used 
when some detail needs to change. Finding out which ramifications a change has on the 
proofs is quick and straight forward. With manual proofs, changing a detail would mean 
the boring and dangerously error prone process of going over each proof by hand. 

As just one example, in a previous version, the Case rule looked as follows: 

Old-Case 

^ t> case if : P Pi 

In this rule, the choice of which branch to take in a case statement yields an internal action, 
after which the process P evaluates as usual. An implication is that the requirement that P 
is guarded can be omitted. We initially adopted this rule since it admits simpler induction 
proofs. At a quite late stage we decided to change it to the present rule, since this more 
closely resembles what is used in similar calculi. The change prompted a rework of the entire 
proof tree from the semantics and up. The total effort was approximately eight hours, and 
we now know that the new rule does not cause any problems. 
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Currently we have formally proved theorems I5.3|5.5f[5.8l using Isabelle, including all 
supporting lemmas. The entire implementation in Isabelle is about 18000 lines of code. 
It includes infrastructure for smooth treatment of binding sequences, and it has developed 
gradually over two years. The total effort for the present framework is hard to assess, since 
it has followed us through many failed attempts and false starts. Once in place the marginal 
effort of formalising more results is manageable. As an example, the total effort in proving 
Theorem 15.31 which was one of the last things we implemented, was less than one day. 



7. Conclusion and Further Work 

We have defined a framework for mobile process calculi, parametrised on nominal types 
for data terms and for a logic to express assertions and conditions. The expressiveness sur- 
passes the most advanced competing calculi. The semantics is a single inductive definition, 
which means that proofs are comparatively easy. We have fully formalised the framework 
in the interactive theorem prover Isabelle, which gives us full confidence in our results on 
bisimulation and provides a readily available infrastructure for conducting proofs of many 
instances and variants. 

In I J VP 10] we develop a symbolic semantics and bisimulation equivalence, and prove 
full abstraction with regards to ~. This kind of semantics is essential for reducing the state 
space explosion when exploring transitions and comparing for equivalence, making it ideal 
for use in automated tools. In [JBPVIO] we explore weak bisimulation equivalence, where 
r actions are considered unobservable. Our results indicate that the presence of assertions 
significantly complicates the definitions, in contrast to the situation with strong bisimula- 
tion. Interestingly, for psi-calculi that satisfy weakening (i.e. ^ \- f ==;>■ h (p) the 
definitions can be greatly simplified. We also investigate a barbed equivalence and deter- 
mine what kind of observations are needed for full abstraction. The current development 
of psi-calculi is covered in [JohlOj and the associated formalisation in Isabelle is accounted 
for in [BenlOj . 

We intend to explore typed psi-calculi. One idea is to find out what properties the 
type system must have in order for the usual theorems such as subject reduction to hold. 
We are also considering variants of psi-calculi with broadcast communication, where one 
sender may communicate directly with several receivers, and higher order communication, 
where agent definitions can be transmitted and executed by the recipient. It seems that 
both these variants can be accommodated with very small changes of the semantics and 
that large parts of our formal proofs carry over. 
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